Zeus 1.1.3.4

RSA FirstWatch throw me recently a sample of a 'new' Zeus variant.
I didn't really check all the changes that were made but seem it's nothing more than just a standard Zeus v2.
But wait, it communicates over SSL and had a new kind of HTTP request pattern:

Fiddler:

Config download in python:

import urllib2

request = urllib2.Request('https://secureinformat.com/?ajax')
request.add_header('Accept', '*/*')
request.add_header('X_ID', '14E255CE7875768FBC303C10')
request.add_header('X_OS', '510')
request.add_header('X_BV', '1.1.3.4')
request.add_header('Control', 'no-cache')
request.add_header('User-Agent', 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729;')
page = urllib2.urlopen(request).read()
open('ajax', 'w').write(page)

Notice the new headers:
X_ID = Bot ID
X_OS = OS version
X_BV = Variant version

The answer of the server have X_ID as cookie:

<< HTTP/1.1 200 OK
<< Date: Fri, 28 Feb 2014 06:35:34 GMT
<< Server: Apache
<< Set-Cookie: X_ID=14E255CE7875768FBC303C10; expires=Sat, 28-Feb-2015 06:35:34 GMT; path=/
<< Content-Description: File Transfer
<< Content-Disposition: attachment; filename=ajax
<< Content-Transfer-Encoding: binary
<< Expires: 0
<< Cache-Control: must-revalidate, post-check=0, pre-check=0
<< Pragma: public
<< Content-Length: 3685
<< Connection: close
<< Content-Type: application/octet-stream

Sample: bb9fe8c3df598b8b6ea2f2653c38ecd2

Version: 1.1.3.4
RC4: E2 82 3E B3 04 11 15 34 17 64 01 DC 7D B8 A5 35 CB 00 19 AA 81 59 6E 1B 85 7E 44 CA 10 90 40 2A C3 36 20 C5 C2 55 E6 F4 43 67 5B 42 4D 21 98 D4 78 70 1A 6F 72 24 88 B4 0A E7 B9 BC C1 8E 8F 79 86 CC 5F 46 FC A9 1C F0 74 E0 C0 3F 8D DD EC 4C 66 A0 02 97 C6 99 BB 7F 0D A8 3A 27 07 E8 75 80 28 54 93 D3 BD 2C EA 9D F6 0B 45 2E F1 EB A3 0E 9E BA 4B 9F 09 89 56 29 C4 48 23 14 2F DA F5 39 3B 8C CD 2B 37 41 A2 95 0F C9 BE AD F8 D7 DE C8 B5 0C 76 51 DF 5D B2 D6 AC 83 52 08 50 92 E1 B0 9C AE CF E4 ED B1 5E 7C 6A 96 65 26 87 2D 12 8A 9A A4 FF 94 D2 7A C7 47 31 7B EE CE DB 32 B7 06 D1 F2 EF AB AF 3C 18 84 E3 22 61 03 3D D9 9B 05 58 D8 30 F7 F3 B6 62 8B 1E 6C 71 FA 4A 4E 63 60 4F 16 6D 25 FB 53 FD 13 33 D0 E9 73 68 F9 69 A6 38 57 6B 5A 49 1D A1 A7 1F BF 5C D5 E5 91 77 FE
Drop Point: http://localhost/gate.php
Infection Point: http://localhost/bot.exe
Update Point:
http://secureinformat.com/?ajax (static config)

For unpacking the config, here again nothing new, regular Zeus v2.
Once unpacked, we can see that the malware is targeting German banks and Trusteer:

http*://*netbanking.sparkasse.at/hilfe/sicherheit*
https://*banking.berliner-bank.de/trxm*
https://*banking.co.at*
https://*commerzbank.de*
https://*commerzbanking.de*
https://*meine.deutsche-bank.de/trxm/db*
https://*meine.norisbank.de/trxm/noris*
https://banking.postbank.de/rai*
https://banking.sparda.de*
https://finanzportal.fiducia.de*
https://netbanking.sparkasse.at/*
https://netbanking.sparkasse.at/casserver/login*
https://netbanking.sparkasse.at/sPortal/*
https://online-*.unicredit.it/*
https://online.bankaustria.at*
https://*commerzbank.de*
https://*commerzbanking.de*
https://*meine.deutsche-bank.de/trxm/db*
https://*meine.norisbank.de/trxm/noris*
https://www.trusteer.com/ProtectYourMoney*

WebInjects:

https://secure730.com/oz1/service.in?id=50
https://secure730.com/oz1/service.in?id=44
https://secure730.com/oz1/service.in?id=43
https://secure730.com/oz1/service.in?id=41
https://secure730.com/oz1/service.in?id=7
https://secure730.com/oz1/service.in?id=6
https://secure730.com/oz1/service.in?id=4
https://secure730.com/oz1/service.in?id=3
https://secure730.com/oz1/service.in?id=2
https://secure730.com/oz1/service.in?id=1
https://secureinformat.com/id/351
https://secureinformat.com/id/350
https://secureinformat.com/id/51
https://secureinformat.com/id/10

Man in the browser:

Clean browser surfing Trusteer website:

Infected browser surfing Trusteer website:

Requesting the user to download an APK:

Test done on the latest Firefox version (v27.0.1)

bit.ly/1jmQHmA = hxtp://shlyxiest.biz/cdn/Trusteer-Mobile.apk
>> https://www.virustotal.com/en/file/2f82ce7288137c0acbeefd9ef9f63926057871611703e77803b842201009767a/analysis/1393786189/
Phone number:  79670478968

Identified as Perkel.c by Kaspersky, Perkel is an android malware who was sold by Perkele (this guy was later banned from underground forums for scaming but it's another story)

Sort of Fake AV:

Sample: 917df7b6268ba705b192b89a1cf28764

Version: 1.1.3.4
RC4: E2 82 3E B3 04 11 15 34 17 64 01 DC 7D B8 A5 35 CB 00 19 AA 81 59 6E 1B 85 7E 44 CA 10 90 40 2A C3 36 20 C5 C2 55 E6 F4 43 67 5B 42 4D 21 98 D4 78 70 1A 6F 72 24 88 B4 0A E7 B9 BC C1 8E 8F 79 86 CC 5F 46 FC A9 1C F0 74 E0 C0 3F 8D DD EC 4C 66 A0 02 97 C6 99 BB 7F 0D A8 3A 27 07 E8 75 80 28 54 93 D3 BD 2C EA 9D F6 0B 45 2E F1 EB A3 0E 9E BA 4B 9F 09 89 56 29 C4 48 23 14 2F DA F5 39 3B 8C CD 2B 37 41 A2 95 0F C9 BE AD F8 D7 DE C8 B5 0C 76 51 DF 5D B2 D6 AC 83 52 08 50 92 E1 B0 9C AE CF E4 ED B1 5E 7C 6A 96 65 26 87 2D 12 8A 9A A4 FF 94 D2 7A C7 47 31 7B EE CE DB 32 B7 06 D1 F2 EF AB AF 3C 18 84 E3 22 61 03 3D D9 9B 05 58 D8 30 F7 F3 B6 62 8B 1E 6C 71 FA 4A 4E 63 60 4F 16 6D 25 FB 53 FD 13 33 D0 E9 73 68 F9 69 A6 38 57 6B 5A 49 1D A1 A7 1F BF 5C D5 E5 91 77 FE
Drop Point: http://localhost/gate.php
Infection Point: http://localhost/bot.exe
Update Points:
https://koloboktv.com/?ajax (static config)
https://securestakan2.net/?ajax (dynamic config)
https://securemagnit5.net/?ajax (dynamic config)

WebInjects:

https://pikachujp.com/oz1/service.in?id=50
https://pikachujp.com/oz1/service.in?id=44
https://pikachujp.com/oz1/service.in?id=43
https://pikachujp.com/oz1/service.in?id=41
https://pikachujp.com/oz1/service.in?id=7
https://pikachujp.com/oz1/service.in?id=6
https://pikachujp.com/oz1/service.in?id=4
https://pikachujp.com/oz1/service.in?id=3
https://pikachujp.com/oz1/service.in?id=2
https://pikachujp.com/oz1/service.in?id=1
https://koloboktv.com/id/351
https://koloboktv.com/id/350
https://koloboktv.com/id/51
https://koloboktv.com/id/10

Sample: 7fb62987f20b002475cb1499eb86a1f5

Version: 1.1.2.1
RC4: 30 72 E6 32 80 EF BD 92 BE DD 3B 1C 58 45 33 2F 41 53 A9 26 8E 20 4D 8A DB 6A F6 8B CE 4C B6 38 02 2B 6C 15 A1 2C 2D C2 ED 0E BB BF 64 40 F1 9F D2 36 07 C3 CF 8D AA D3 A5 42 C0 9B 48 49 67 81 98 75 51 1B 96 6E 97 4A 59 DE 44 65 85 7B 35 16 0C 23 4F FE 5B FA D7 84 A7 46 EE 82 DF E1 6B AD 94 CB 18 C4 8C 0F E7 00 E0 7E CA 24 1A 7A A6 73 3C 03 F5 9C EA 1E FB D4 0B 14 11 22 06 F4 6D 55 E5 93 F9 E2 69 D5 CD 27 E8 12 C8 77 0D 08 A2 B7 0A 01 D8 EB 3F AB 3A 61 83 04 86 CC FD F3 5F 63 09 AC AF 66 17 B9 56 19 F2 C7 47 43 25 1D 89 29 99 2E C1 87 54 C9 62 34 74 4B A0 B1 3E 21 57 52 2A 39 FF 05 BC C6 A4 4E 3D 9D E3 D9 BA 76 5C AE A3 FC B4 B3 D6 28 5A 68 F7 31 7D 7F E4 1F 37 D1 90 B5 B0 D0 C5 79 DA 13 71 A8 7C EC F8 E9 60 50 88 78 70 10 B2 5E 8F 6F 9A B8 95 DC 9E 91 F0 5D
Update Point:
https://securestatic.com/?ajax (static config)

All these samples use the same IP range:
• dns: 1 ›› ip: 37.228.92.170 - adress: SECURE730.COM
• dns: 1 ›› ip: 37.228.92.169 - adress: SECUREINFORMAT.COM
• dns: 1 ›› ip: 37.228.92.148 - adress: SHLYXIEST.BIZ
• dns: 1 ›› ip: 37.228.92.147 - adress: SECURESTATIC.COM
• dns: 1 ›› ip: 37.228.92.146 - adress: KOLOBOKTV.COM

I've wrote a small yara rule in hope to see more of these.
All configs that i grabbed was reporting to localhost not to a server...