Skip to content
September 16, 2013 / Vadim Kotov

Another tale of a Zeus targeted attack

A few days back, we were notified of a targeted attack on the editorial staff of a prestigious online publication. It was indeed impressive how well aware and vigilant the intended ‘victims’ of the attack were to detect the anomalies in the phishing email sent out. However, all it takes is one innocent click from the unsuspecting users to get infected by such targeted phishing emails. The chances of infection with the malware sample we received were very high as traditional AV had low detection rates at the time of attack.

It should be noted that targeting key people in the publishing industry has been on a rise from attackers; the most recent being the New York Times attack.

We were able to confirm immediately that the attack was using the infamous Zeus Trojan. The Zeus Trojan is already well known to have many sophisticated ‘features’, hence we decided to cover some of the aspects that are not discussed widely.

File Analyzed

Name: FSEMC.06092013.exe

Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

Size: 16896 Bytes

Compiled: Sep 06 2013

MD5 = cb9cc726fc2e79877ac9d6d79ceb2ef3

SHA256 = 6fcd54235ec7883cd551d9f8b043d5b9ce82832e0e476c8b2c4a79e5f228eb30

Sections Summary

Zeus Dropper Sections

Dropper and Obfuscation

The dropper uses an interesting obfuscation method. The file does not look suspicious at first sight. For example its entropy is within normal ranges:

Entropy plot of the Zeus dropper

Secondly, it uses windows messages to control the workflow, viz it registers the windows class and defines its procedure, which then sends messages to itself and the id of the subsequent command passed as an argument. The algorithm and its implementation were developed to confuse the heuristic scanners of in antivirus engines.

The de-obfuscation workflow can be expressed as follows:

Zeus dropper de-obfuscation workflow

The second dropper uses the same message-based de-obfuscation routine, however the entropy of the file looks more suspicious:

Zeus second dropper entropy plot

The high entropy area on the right corresponds to a PNG resource, which withholds the final executable. The latter never lands on the victim’s hard drive and operates within RAM. Moreover its PE header is mangled so dumping and analyzing it with such tools as IDA Pro is tricky.

The final executable deploys a lot of obfuscation tricks to confuse analysis tools and reverse engineers. The workflow is defined as a sequence of internal commands (represented by integer values) that are stored in global arrays. This picture illustrates the way our sample’s operation is organized:

Command processing

A command sequence is passed as an argument to the ProcessCommands function, which jumps to the corresponding case of the switch statement. The program uses the __fastcall convention and the first two arguments are passed via registers.

Apart from control flow confusion the sample keeps all the crucial data obfuscated and decodes it only when needed. The string de-obfuscation algorithm looks like this:

String deobfuscation

The strings are kept in the array of 8-byte structures, where 4 bytes is an obfuscated string pointer, 2 bytes its length and 2 bytes – the XOR key (in fact only the first byte is used, the second is always 0).

Malicious Activity

Process Injection and Persistence

Targets for the process injection are the same as in the previous modifications of Zeus:

  • dwm.exe
  • taskhost.exe
  • taskeng.exe
  • wscntfy.exe
  • ctfmon.exe
  • rdpclip.exe
  • explorer.exe

The malware adds itself to the following registry key:  Software\Microsoft\Windows\CurrentVersion\Run

Information Stealing

The program searches for the following extensions:

  • .docx
  • .dat
  • .sol (steals cookie from Adobe Flash local shared object)

The following mail clients are checked:

  • Outlook Express
  • Windows Mail

The malware also gets access to the contact lists which are supposedly used for social engineering based propagation.

Web data is stolen via winnet.dll, chrome.dll and nspr4.dll hooks, allowing the malware to scrape form data and cookies. Login credentials of various protocols (such as POP3 and FTP) are intercepted.

Certificates are stolen using Windows API calls such as CertDuplicateCertificateContext , and PFXExportCertStoreEx. It uses the “pass” string as the password to access the certificate storage.

Traditionally Zeus collects information corresponding to a number of financial/banking programs. Strings corresponding to the names of target processes are shown in Table 1.

Table 1 – Targeted software

Zeus string Application Description
tellerplus FIS TellerPlus An on-line teller system based on client/server architecture (http://www.fisglobal.com/products-core-coreaccountprocessing-bancpac).
bancline FIS BancLine Account processing system, includes retail and branch automation systems, document imaging and so forth. (http://www.fisglobal.com/products-core-coreaccountprocessing-bancline).
fidelity Fidelity Online trading software (https://www.fidelity.com/).
micrsolv
bankman Sysman Bankman Bank branch information system (http://www.sysman.org/bankman.htm).
vanity
episys The Episys Enterprise Communication Suite Software for retail, banking, manufacturing, logistics etc. (http://www.episys.com/).
jack henry Jack Henry banking solutions Banking software (http://www.jackhenrybanking.com/).
cruisenet Jack Henry cruisenet Part of Jack Henry baking solutions
gplusmain
Fiserv Director Software suite for document management, workflow coordination etc. (http://www.premier.fiserv.com/products/overview/ovr_premierdirector.htm).
Fiserv Prologue software Software for financial accounting (http://www.riskandperformance.fiserv.com/FinancialAccounting.aspx?mnu_id=1).
silverlake Jack Henry Silver Lake Banking platform (http://www.jackhenrybanking.com/core-solutions/pages/silverlake-system.aspx).
v48d0250s1
fastdoc
fdmaster.exe
launchpadshell.exe
pcsws.exe
prologue.exe
wtng.exe

The stolen data is sent via the C&C using HTTP protocol.

Summary

Targeted phishing attacks like  these are designed to thrive on user mistakes. As evident from the analysis above, Zeus particularly has been designed to bypass Anti-Virus and other signature based detection technologies. It should also be noted that this attack was targeted to popular banking software and browsers/email clients to exfiltrate data from the victims.

We continue to monitor these and we’ll update our readers as we come across more interesting malware in the wild.

Related Articles

  1. Zeus Banking Trojan Report http://www.secureworks.com/cyber-threat-intelligence/threats/zeus/
  2. Malware analysis: Citadel http://seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf
  3. Zeus V2 Malware Analysis – Part I http://sysforensics.org/2012/03/zeus-v2-malware-analysis-part-i.html
  4. Case of Pony downloading ZeuS via Passworded Zip Attachment of Malvertisement Campaign http://malwaremustdie.blogspot.ru/2013/06/case-of-pony-downloaded-zeus-via.html
  5. How Attackers Steal Private Keys from Digital Certificates http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: