After my last post about Andromeda different updates related to version 2.07 and 2.08 appeared. Mostly, Fortinet was talking about the version 2.7 features and the new anti-analysis tricks of version 2.08. After that, Kimberly was also mentioning version 2.09 in his blog but I have not seen too many details about the latest versions of Andromeda. This is a summary of the interesting details about the newer versions.
After version 2.08, the parameter used to send the bot version to the panel was removed from the POST request, so now it is a bit more difficult to distinguish between versions. An easy way to spot the different versions is taking a look at the request format strings:
Submitted by jesparza on Fri, 2015/04/17 - 01:47
Just some hours after the bombings during the Boston Marathon we already had several spam campaigns using that subject to infect users. It seems that cybercriminals don't respect anything, did we really expect something different? :p
On the past Wednesday I received four emails talking about the Boston incident. They were really suspicious, just a URL in the body, the URLs had just an IP instead of a good domain...I think someone was in a rush trying to profit from this as soon as possible, while it was still on the news...
The subjects were:
BREAKING - Boston Marathon Explosion
Explosion at the Boston Marathon
Aftermath to explosion at Boston Marathon
Explosions at the Boston Marathon
And the URLs I saw:
These URLs leaded to a simple webpage with six iframes. Five of them pointed to real videos about the tragedy and the other one redirected to a RedKit exploit kit which was trying to exploit a CVE-2012-1723 Java vulnerability (take a look at the vulnerability explanation). Also, a Meta Refresh Tag was leading to this URL:
Submitted by jesparza on Sun, 2013/04/21 - 21:50
Apart of being new or not (I think all of us thought that we were the first ones when really not), the report throws some data about affected banks/users and, the most important, the amounts stolen from each country by the fraudsters: more than 16 million EUR in Italy, almost 13 million EUR in Germany, almost 6 million EUR in Spain and more than 1 million EUR in Netherlands. In summary, more than 36 million EUR in Europe. Taking into account the sad times we are living in, crisis times, it's pretty noteworthy, isn't it?
This report and, above all, these stolen amounts have been quickly published everywhere and are quite widespread, faster than some of the most infamous Trojans. That's why I would like to say some words about the report and these astonishing amounts:
- It's not a new Trojan, not a new customized ZeuS, it's just Citadel. Citadel, but also Tatanga and Feodo. In this botnet were used at least three different Trojans.
Submitted by jesparza on Fri, 2012/12/07 - 19:26
botnet started life in May this year and was taken down by end of September. It has been called Sopelka
because of the path used in the distribution of binaries and configuration files, and was an odd mixture of variants of the known banking trojans Tatanga, Feodo and Citadel.
This botnet’s objective was the collection of banking credentials from European entities, mostly banks from Spain and Germany, but also Holland, Italy and Malta. In addition, it made use of different mobile components for Android, BlackBerry and Symbian phones. Symbian was the first operating system where this type of malicious component emerged two years ago.
During the botnet’s lifetime there were at least five campaigns and it’s likely that more were carried out. Of the five known campaigns, three of them installed variants of Citadel (versions 188.8.131.52 and 184.108.40.206), another Feodo, and Tatanga was the chosen trojan in the other one. All the Citadel campaigns carried the name “sopelka” (a flute type in Russian) in their download paths for binaries and configuration files, but this was not the case with Tatanga and Feodo.
Submitted by jesparza on Wed, 2012/10/17 - 18:00
The subject of the emails detected so far is “ACH transaction canceled” and in the body of the mail there is information about a supposed transaction that has been cancelled. If the victim wants further information then they have to visit a link that contains a report about the transaction:
For a few seconds the victim sees a screen indicating that they must wait. Meanwhile 4 scripts, stored on different domains are loaded into user’s browser. They are little more than simple redirections towards the site where the code (that will attempt to perform the exploitation) resides.
Submitted by jesparza on Tue, 2011/11/29 - 14:02
As I mentioned in the previous post
, just after Source Seattle
some days ago, the ToorCon
(also in Seattle) began. Some speakers took advantage of this to present the same or different presentations at both conferences. Friday the 13th was the opening day, with a small party, but the presentations didn’t begin until the following day. There were thirty talks
in total, each delivered in a 15 minute period of time, with a short break for lunch. It was an entire day of presentations, from 8:30 till 10:30, quite a day!
Submitted by jesparza on Thu, 2011/06/30 - 10:10
This time I've received a nicer e-mail, a woman sending me her CV!! with a picture of her included too!! :) In fact, she has included in the image some words too, a bit strange...
Again the same actors: Oficla and ZeuS. This time not Feodo downloading. Inside the zip file we can find the Oficla sample, with a medium detection rate. It connects with the domain showtimeru.ru (now it's down) to ask for URLs to download more malware:
The server response contained the same URL (active yet) as the DHL campaign, downloading the same version of ZeuS, different MD5.
Beware with women!! they are not trustful!! ;)
Submitted by jesparza on Tue, 2010/11/09 - 01:49
This past month a new DHL campaign has been spreading malware in a zip file. The executable in the zip was identified (with a high detection
rate) as Oficla
by the Antivirus engines. This malicious code, with filename DHL_Etiqueta.exe
, acts as a downloader asking a server the URLs it must use to download the other malicious files. It always uses in the requests the User-Agent Opera\9.64
. These are the requests and responses in this case:
Both of the downloaded files, morph.exe and esmilk.exe, are banking trojans. The former is a sample of Feodo, with a low detection rate (7/41), which downloads the configuration file from a server after sending to it a POST request:
Submitted by jesparza on Wed, 2010/11/03 - 00:55
One month ago David Barroso
visited one online banking user. David extracted one file from his mobile phone and I picked some ZeuS files up from his computer.This was the starting point of the so-called ZeuS MitMo
When ZeuS injects HTML code it usually asks the user for the necessary TANs in order to carry out a fraudulent transaction, but sometimes this information is not enough. Some banks ask for an additional code, sent by SMS, that the user (or criminal) must enter to finish the process. Until that moment this type of authentication (two-factor authentication) was successful, but not since then. This ZeuS gang had modified the configuration files to ask for the mobile phone number too. It's not so strange, but yes using it to commit the fraud. They sent to him an SMS with a link inside, telling the user that he should install that "certificate". When the user installed it, the malicious application
began to monitor all the incoming SMSs, looking for the bank SMS and forwarding it to the criminals. This way they already had all the information they needed to make the transaction, game over.
Apart of asking for the user phone number the configuration file had other curious things. When the user visited the online banking URL ZeuS added an script element to the legitimate web page pointing to an URL, avoiding to store all the HTML code in the config file. But this is not the strange thing, it's that normally the src attribute it's an absolute URL while in this case was a relative one:
Submitted by jesparza on Thu, 2010/10/28 - 20:19
Recently our e-crime team has discovered
that Spyeye is using Man in the Browser (MitB) techniques in order to make fraudulent transactions. Thanks to MitB cybercriminals can make the transactions in the same banking online session as the real user, therefore they can do it in a quickly and clean way. I say clean because in the logs of the online banking application there won't be more IPs than the real user ones. It means less proofs in an hypothetical court against the bad guys, for example.
- When the user goes to the accounts details screen the information (account number, type of account and balance) of all of them are grabbed and sent to the malicious server in a serialized array:
["maxCheck" = ["name" = "MY_ACCOUNT_NAME",
"check" = "MY_ACCOUNT_NUMBER",
"sum" = $$$],
"allChecks" = [ 0 = ["name" = "MY_ACCOUNT_NAME",
"check" = "MY_ACCOUNT_NUMBER",
"sum" = $$$]
- From all the possible accounts it's chosen like preferred the one with more money (maxCheck array).
Submitted by jesparza on Mon, 2010/10/25 - 00:38
ZeuS is still the talk of the town. It's downloaded through fake antivirus, downloaders and several exploit kits. Of course, the best-known social networking site couldn't be out of this. Last week we could see some Facebook messages like the following:
This iframe redirected the user to another web page with two more iframes:
<iframe g1g="321" src="xd/pdf.pdf" l="56" height="31" width="13">
<iframe g1g="321" src="xd/sNode.php" l="56" height="31" width="13">
After advancing further, we arrived to a directory listing in the same server:
Submitted by jesparza on Tue, 2010/02/02 - 12:45
The evolution continues. Some days ago a new ZeuS binary appeared with the version number 220.127.116.11. This new development is an attempt to improve the stealth techniques used to date, as stated in one of the TODO files found some time ago. After just a quick look, one can notice the following changes:
When it's executed and the system isn't infected yet, it copies itself in the directory %SystemRoot%/system32, but with a different filename in each execution. Also it gets the basic file information from the %SystemRoot%/system32/ntdll.dll file (creation, last access and modification dates).
If it finds a previous ZeuS version installed it deletes the binary, leaves and shows the hidden files in the next reboot. To give an idea of the situation, one of the latest samples with sdra64.exe as executable filename is the 1.2.12 one.
Submitted by jesparza on Fri, 2009/11/06 - 13:25
In the S21sec blog we have been talking some time ago about our dear friend, almost one more colleague: ZeuS. It is a malware with more than 3 years of life which continues changing and evolving to hide itself better and making the fraud more efficient. But what we maybe have not mentioned yet is how to know if our little friend is here, spying all our movements and reporting all of this to its parents, because sometimes the AV software is not so effective as we expect.
There are several evidences in its different versions which mean that we are infected with ZeuS:
ZeuS leaves a trace in the filesystem when it's installed in the computer, but it hides and blocks all the files it creates, avoiding that a normal user can see and delete them. The solution to find these files is using antirootkit software which will show us the hidden files.
Submitted by jesparza on Thu, 2009/10/01 - 12:25