I didn't really check all the changes that were made but seem it's nothing more than just a standard Zeus v2.
But wait, it communicates over SSL and had a new kind of HTTP request pattern:
Config download in python:
Notice the new headers:
X_ID = Bot ID
X_OS = OS version
X_BV = Variant version
The answer of the server have X_ID as cookie:
For unpacking the config, here again nothing new, regular Zeus v2.
Once unpacked, we can see that the malware is targeting German banks and Trusteer:
Man in the browser:
Clean browser surfing Trusteer website:
Infected browser surfing Trusteer website:
bit.ly/1jmQHmA = hxtp://shlyxiest.biz/cdn/Trusteer-Mobile.apk
Phone number: 79670478968
Identified as Perkel.c by Kaspersky, Perkel is an android malware who was sold by Perkele (this guy was later banned from underground forums for scaming but it's another story)
Sort of Fake AV:
All these samples use the same IP range:
• dns: 1 ›› ip: 18.104.22.168 - adress: SECURE730.COM
• dns: 1 ›› ip: 22.214.171.124 - adress: SECUREINFORMAT.COM
• dns: 1 ›› ip: 126.96.36.199 - adress: SHLYXIEST.BIZ
• dns: 1 ›› ip: 188.8.131.52 - adress: SECURESTATIC.COM
• dns: 1 ›› ip: 184.108.40.206 - adress: KOLOBOKTV.COM
I've wrote a small yara rule in hope to see more of these.
All configs that i grabbed was reporting to localhost not to a server...