Trend Micro detects malware posing as Trend Micro component

In a rather worrying finding, Trend Micro has stated in a blog post that it has stumbled upon a Trojan that disguises itself as a Trend Micro component. One of the tricks employed by malware writers, the Trojan disguising itself as such is being treated as potent enough to lure users into downloading and executing it. Folks at Trend Micro recently came across a file and noticed something amiss. They acknowledge, though, that for someone not well-versed with it, the file can be easily mistaken for a Trend Micro product/component. Post some analysis, they found that it indeed was a Trojan in disguise – clearly an attempt to trick unsuspecting users into downloading and executing  it. The malware has been detected as TROJ_RIMECUD.AJL. Once a user executes TROJ_RIMECUD.AJL, it creates the process svchost.exe, where it injects its malicious code. Once done, the malware downloads a component package. 

Figure showing file properties of WORM_PALEVO.AMC

Figure showing file properties of WORM_PALEVO.AMC



This downloaded package contains a bitcoin miner application created by Ufasoft. Trend Micro further detected this bitcoin app as HKTL_BITCOINMINE. "Bitcoin is considered digital currency and can be used to pay certain transactions online. This attack is timely because of the news that Bitcoin Central has been approved by the law to function as a bank where exchange from Euro and Bitcoins are now possible," the post notes. 


Trend Micro further narrates that over the past years, there have been cases wherein systems are infected with bitcoin-mining malware, thereby turning them into unwilling “miners”. These (systems) then dole out Bitcoins for the benefit of the bad guys, leaving the affected users in the dark. Not only does this generate profit for its authors, this malware also consumes too much of the system’s resources. It advises that in sudden slowdown of the system, one should always check their running processes and search for unknown running application. It explains that this occurrence maybe caused by a possible infection of Bitcoin mining activity.


The only way out is that users must be extra-cautious when downloading applications and files found on the Internet. Better yet, they should altogether refrain from visiting unknown websites and clicking ads or shortened URLs contained in email messages from unverified sources.


A couple of days ago, Trend Micro had reported about hotel booking spam making its way into Indian users’ inboxes. As per the infection statistics, 1.89 percent of Indian Internet users have already been affected. The email purporting to be in the name of one of the hotels has a similar theme to its English-language counterpart as it contains confirmation and details on an alleged booking reservation. Elaborating further on the malware, Trend Micro shares that Gamarue is a family of malware that may be distributed by exploit kits, spammed emails or other malware, and has been observed stealing information from an affected user.


One of the Trend Micro’s Manager received this email at his personal email address and he almost fell for it, given that he travels a lot, until he noticed the address of the hotel. It’s too bad the spammers aren’t as good with geography as making spam; the hotel does not exist in India. While he was initially looking forward to staying at the hotel, having read the excellent reviews on TripAdvisor, the email made it clear that this was, unfortunately, a scam. Meanwhile, the attachment was already flagged and detected by Trend Micro as BKDR_ANDROM.P.


“A lot of e-commerce websites pay the price of being popular.  Online travel and hotel market has become an attractive target for cybercriminals given the large volume of transactions on hotel and online sites. A frequent traveler who has done a hotel booking or checked reviews recently, in all probability, would be prompted to click that mail. When a user clicks the attachment in this spam mail, the malware known as Gamarue becomes active. It can steal from an affected user any information left behind on the emails and saved on user’s system," said Suchita Vishnoi, Head, Corporate Communications, Trend Micro.

Published Date: Dec 08, 2012 13:33 PM | Updated Date: Dec 08, 2012 13:33 PM