Deep Discovery Email Inspector

DDEI customers may apply for an account via ERS portal by using their own AC code of the DDEI gateway license.

SandCastle is one of Trend Micro's engines that helps users analyze the files they send in. It analyzes files in multiple ways, including static and dynamic analysis, to ensure we can correctly detect if a file is malware. In the static part, we retrieve some information; for example, if the file is a PDF, it will try to extract the URL from a QR code if it has one. This article will provide information about our QR code scan function in SandCastle.

This article lists down the supported operating systems for Virtual Analyzer in DDEI.

This article describes how to download Deep Discovery products - Deep Discovery Inspector (DDI) / Deep Discovery Analyzer (DDAn) / Deep Discovery Email Inspector(DDEI) ISO image and hot fix files.

To ensure optimum protection while using Trend Micro products,our experts have compiled easy-to-follow guides on recommended product configuration that users and administrators should follow. This article contains a list of the most recent Best Practice Guides for Trend Micro's major products.

Ransom_LOCKY usually arrives via social engineered spam mails to trick users into clicking the attachment. No exploit was used in the spam.  The user has to click the attachment to initiate the infection chain; which has been observed to contain a DOC file that has a macro code that drops a BAT file when executed. The BAT files also drops a VBS file which downloads this ransomware. It deletes shadow copies by running vssadmin.exe and adds a run key entry to enable its execution at every system start-up.  The run key entry enables the ransomware to continue encrypting files even if interrupted during the previous execution. The dropped copy, once executed, attempts to retrieve a unique ID, public key and ransom note from the registry. If it fails to retrieve information from the registry, it contacts its C&C server to obtain this specific information and saves it to the registry. The public key is used for its RSA encryption algorithm. ZEPTO is known to share technical similarities with LOCKY, especially with spam email-based distribution methods to the use of RSA encryption keys for locking certain file types. Since LOCKY’s discovery in February 2016, it has continued to evolve and successfully target both individuals and businesses, and has been used in a number of high-profile ransomware attacks on healthcare facilities.  After a binary is downloaded and executed, local files are encrypted and the malware displays a message for the victim demanding payment in Bitcoin. The user receives instruction screens in an .HTML file dropped by the malware, an image file, and a background/wallpaper change. ZEPTO appears to be gaining some traction due to its efficient attack vector—a widespread spam campaign, whereas most ransomware is delivered via other vectors. Click image to enlarge. Antispam Pattern LAYERDETAILPATTERN VERSIONRelease DateDYNAMICSpam Mail with attached documentAS 21462/21/2016 VSAPI Pattern (Malicious File Detection) LAYERDETECTIONPATTERN VERSIONRelease DateINFECTIONHB_LOCKYJENT 12.393.003/9/2016INFECTIONHB_LOCKYMENT 12.407.003/15/2016INFECTIONRansom_LOCKY.SMENT 12.359.0002/24/16INFECTIONRansom_LOCKY.SM0ENT 12.359.002/24/2016INFECTIONRansom_LOCKY.SM1ENT 12.361.0002/25/16INFECTIONRansom_LOCKY.SM2ENT 12.361.0002/25/16INFECTIONW2KM_LOCKY.AENT 12.349.0002/17/16INFECTIONX2KM_LOCKY.AENT 12.351.0002/18/16INFECTIONJS_LOCKY.AENT 12.353.0002/18/16INFECTIONRANSOM_LOCKY.DLDSWENT 12.637.007/8/2016 WRS Pattern (Malicious URL and Classification) LAYERURLCATEGORYBlocking DateINFECTIONecoledecorroy{blocked}.be/1/1.exeVirus Accomplice2/19/2016INFECTIONratgeber-beziehung{blocked}.de/5/5.exeVirus Accomplice2/19/2016INFECTIONluigicalabrese{blocked}.it/7/7.exeVirus Accomplice2/19/2016INFECTIONanimar{blocked}.net.pl/3/3.exeVirus Accomplice2/19/2016CLEAN-UPsso{blocked}.anbtr.com/domain/kqlxtqptsmys.inRansomware2/20/2016CLEAN-UPxsso{blocked}.kqlxtqptsmys.in/c43344d5351f579349b5f90e1a038859Ransomware2/20/2016CLEAN-UPpvwinlrmwvccuo{blocked}.eu/main.phpRansomware2/19/2016CLEAN-UPwblejsfob{blocked}.pwRansomware2/20/2016CLEAN-UPkqlxtqptsmys{blocked}.inRansomware2/20/2016CLEAN-UPxsso{blocked}.kqlxtqptsmys.inRansomware2/20/2016CLEAN-UPcgavqeodnop{blocked}.itRansomware2/20/2016CLEAN-UPpvwinlrmwvccuo{blocked}.euRansomware2/20/2016CLEAN-UPkvm17915{blocked}.hv9.ruRansomware2/20/2016CLEAN-UPkqlxtqptsmys{blocked}.in/main.phpRansomware2/20/2016CLEAN-UPmondero{blocked}.ru/system/logs/56y4g45gh45hDisease Vector2/19/2016CLEAN-UPpvwinlrmwvccuo{blocked}.eu/main.phpRansomware2/20/2016CLEAN-UPtcpos.com{blocked}.vn/system/logs/56y4g45gh45hRansomware2/20/2016CLEAN-UPwww{blocked}.bag-online.com/system/logs/56y4g45gh45hRansomware2/20/2016CLEAN-UP31{blocked}.41.47.37/main.phpRansomware2/20/2016CLEAN-UP188{blocked}.138.88.184/main.phpRansomware2/20/2016CLEAN-UP95{blocked}181.171.58C&C server2/19/2016CLEAN-UP185{blocked}.14.30.97C&C server2/27/2016CLEAN-UP109{blocked}.234.38.35Disease Vector2/19/2016 AEGIS Pattern (Behavior Monitoring Pattern) LAYERDETECTIONPATTERN VERSIONRelease DateDYNAMIC1981TTMTD 15263/23/2016DYNAMIC1981FTMTD 15294/5/2016DYNAMIC1980TTMTD 15263/23/2016DYNAMIC1980FTMTD 15294/5/2016DYNAMIC1856TOPR 148310/6/2015DYNAMICRAN2013TOPR 15657/21/2016DYNAMICRAN4705TOPR 15819/1/2016 DCT Pattern (System Clean Pattern) LAYERDETECTIONPATTERN VERSIONRelease DateCLEANUPTSC_GENCLEANLatest DCT OPRBUILT-IN Network Pattern LAYERDETECTIONPATTERN VERSIONRelease DateCLEANUPHTTP_RANSOM_LOCKY_REQUESTRR 1.10151.003/15/2016   Make sure to always use the latest pattern available to detect the old and new variants of Ransom_LOCKY / ZEPTO.

BEBLOH is a spyware that monitors a machine and can steal sensitive information and send gathered information to a remote server. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It executes the downloaded files and, as a result, malicious routines of the downloaded files are exhibited on the affected system. It also gathers information and reports it to its servers. Click image to enlarge. Antispam Pattern LAYERDETECTIONPATTERN VERSIONRELEASE DATEEXPOSUREAll related email samplesAS12821/25/2015 VSAPI Pattern (Malicious File Detection) LAYERDETECTIONPATTERN VERSIONRelease DateINFECTIONTSPY_BEBLOH.SMMOPR 12.4093/17/2016INFECTIONTSPY_BEBLOH.SMM1OPR 12.4073/16/2016INFECTIONTSPY_BEBLOH.SMM2OPR 12.4073/16/2016INFECTIONMal_BEBLOH-1OPR 12.54705/24/16INFECTIONMal_BEBLOH-2OPR 12.54705/24/16 WRS Pattern (Malicious URL and Classification) LAYERURLScoreBlocking DateCLEAN-UPuswmrmsu1fgdmm{blocked}.netC&C3/2/2016CLEAN-UPespedidasalacarta{blocked}.com/ontv.exeDisease Vector3/10/2016 AEGIS Pattern (Behavior Monitoring Pattern) LAYERDetectionPattern VersionRelease DateDYNAMIC1933QOPR 155506/21/16 (Batch 1) Network Pattern LAYERDetectionPattern VersionRelease DateCLEAN-UPHTTP_BEBLOH_REQUEST-2RR 1.10155.004/13/2016DYNAMIC   Make sure to always use the latest pattern available to detect the old and new variants of TSPY_BEBLOH.

On December 9, 2021, a new critical 0-day vulnerability impacting multiple versions of the popular Apache Log4j 2 logging library was publicly disclosed that, if exploited, could result in Remote Code Execution (RCE) by logging a certain string on affected installations.This specific vulnerability has been assigned CVE-2021-44228 and is also being commonly referred to as "Log4Shell" in various blogs and reports.This CVE-2021-44228 is a Java Naming and Directory InterfaceTM (JNDI) injection vulnerability in the affected versions of Log4j listed above. It can be triggered when a system using an affected version of Log4j 2 includes untrusted data in the logged message. If this data includes a crafted malicious payload, a JNDI lookup is made to a malicious server. Depending on the information sent back (response), a malicious Java object may be loaded, which could eventually lead to RCE. Additionally, attackers who can control log messages or their parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.AFFECTED SOFTWAREApache StrutsApache SolrApache DruidApache FlinkElasticSearchFlumeApache DubboLogstashKafkaSpring-Boot-starter-log4j2INFECTION ROUTINEAVAILABLE SOLUTIONSFile ReputationDetection/Policy/RulesPattern Branch/VersionRelease DateTrojan.Linux.MIRAI.SEMR Backdoor.Linux.MIRAI.SMF Backdoor.Linux.MIRAI.SME17.247.0012 Dec 2021Trojan.SH.CVE20207961.SM17.247.0013 Dec 2021Backdoor.Linux.MIRAI.SEMR Trojan.SH.MIRAI.MKF Coinminer.Linux.KINSING.D17.248.0413 Dec 2021Predictive Machine LearningDetectionPattern Branch/VersionTroj.ELF.TRX.XXELFC1DFF009In-the-cloudTroj.ELF.TRX.XXELFC1DFF012In-the-cloudBehavior MonitoringPattern Branch/VersionRelease DateSEN5985S / TMTD 256512 Dec 2021Web ReputationURLCategoryBlocking DateURL Protection (Over 1700 URLs blocked)Malware AccompliceIn-the-cloudNETWORK PATTERNTrend Micro Cloud One - Workload Security and Deep Security IPS RulesRule 1011242 - Log4j Remote Code Execution Vulnerability (CVE-2021-44228)Rule 1005177 - Restrict Java Bytecode File (Jar/Class) DownloadRule 1008610 - Block Object-Graph Navigation Language (OGNL) Expressions Initiation In Apache Struts HTTP RequestTrend Micro Cloud One - Workload Security and Deep Security Log InspectionLI Rule 1011241 - Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)Trend Micro Cloud One - Network Security and TippingPoint DVToolkit CSW file CVE-2021-44228Filter C1000001 : HTTP: JNDI Injection in HTTP Header or URITrend Micro Deep Discovery InspectorProactive Detection: DDI Rule 4280: "HTTP_POSSIBLE_USERAGENT_RCE_EXPLOIT_REQUEST" Protection Solutions: Released in NCIP 1.14747.00: DDI Rule 4641:"CVE-2021-44228 - OGNL EXPLOIT - HTTP(REQUEST)"DDI Rule 4643:"POSSIBLE HTTP BODY OGNL EXPRESSION EXPLOIT - HTTP (REQUEST) - Variant 2" (disabled by default) Released in NCIP 1.14749.00: DDI Rule 4642:"POSSIBLE HTTP HEADER OGNL EXPRESSION EXPLOIT - HTTP(REQUEST)"

Trend Micro Predictive Machine Learning uses advanced machine learning technology to correlate threat information and perform in-depth file analysis to detect emerging unknown security risks through digital DNA fingerprinting, API mapping, and other file features. Predictive Machine Learning also performs a behavioral analysis on unknown or low-prevalence processes to determine if an emerging or unknown threat is attempting to infect your network. Predictive Machine Learning is a powerful tool that helps protect your environment from unidentified threats and zero-day attacks.   

This article lists down some helpful information about Email Reputation Service (ERS).