Sunday 13 April 2014

ZeusVM and steganography

Months ago, researchers observed an evolution of ZeusVM, time to get back on this family.

For informations,
The first ZeusVM sample i've seen using steganography was the 21 November 2013.
The IP of the C&C have Russian origin: 212.44.64.202
A Sutra TDS who redirect on Nuclear Exploit pack was pushing the payload, Roman of abuse.ch blacklisted 212.44.64.202 one month later on his Zeus tracker.

The first guy who publicly wrote about ZeusVM change is probably Jerome Segura of Malwarebytes.
Actually the latest version i've saw in the wild is 1.0.0.5, and if you want a hash: e4c31d18b92ad6e19cb67be2e38c3bd1 (sample is fresh of today)

Let's have a look on the first server that i've see now... 212.44.64.202.
Pony, Multilocker, Mailers, Grum and an older version of ZeusVM (without steganography) was also hosted on this server but that not the topic.

The filename of login scripts and ZeusVM configs were hardnamed in russian, like:
borodinskoesrajenie.jpg (http://en.wikipedia.org/wiki/Battle_of_Borodino)
vhodtolkodlyaelfov.php (only elves can enter)
logovoelfov.php (elf's den)
domawniypitomec.php (domestic animal)
jivotnoe.php (animal)
larecotkryt.php (the chest is open)
And so on.. overall the panel design seem back to the original zeus style (not like the previous 'generation' of ZeusVM with casper)

/kec/:

/luck/:

/ass/:

/kbot/:

/ksks/:

/one/:

/two/ (unused):
/

/three/ (unused):

/four/ (unused):

Now, for decoding those ZeusVM images, as described by Jerome, you just need to strip the image and do the following: Base64+RC4+VisualDecrypt+UCL Decompress

Here are some 'malicious' image from 212.44.64.202:
mix.jpg:
mix.jpg:
mix.jpg:
mix.jpg:
config.jpg:
kartamestnosti.jpg:
webi_test.jpg:
uwliottrekera.jpg:
 test_vnc2.jpg:
x64hook.jpg:

Some configs was done for tests:

And some wasn't for test, targeting banks with MiTB.
Malicious code injection, on a ZeusVM botnet targeting France:

Lame webinject:


CCGRAB:
ATSEngine:

Nowadays more actors start to use ZeusVM, like the group who was using the 'private' version of Citadel 3.1.0.0 and the group who was targeting Japan.
Both switched on ZeusVM as alternative of Citadel.

You can find the samples related to 212.44.64.202 with config and decoded here:
http://temari.fr/vx/ZeusVMs_212.44.64.202.7z

Some other ZeusVM samples (not related to 212.44.64.202):
http://temari.fr/vx/ZeusVMs_v1.0.0.2_v1.0.0.5.7z





root/root

14 comments:

  1. does it grabb from all browser ? where can we found this ?N

    ReplyDelete
  2. i was searching documentations about this, thanks

    ReplyDelete
  3. What does "VM" stand for in ZeusVM? Virtual Machine?

    ReplyDelete
  4. Can you comment on or link to a source where I can find more information on how steganography is used to actually execute malware?

    ReplyDelete
  5. it's a nooby question maybe

    but what is ATSEngine?

    ReplyDelete
  6. ATS: Automatic Transfer System
    http://blog.trendmicro.com/trendlabs-security-intelligence/evolved-banking-fraud-malware-automatic-transfer-systems/

    ReplyDelete
  7. where can we download the version of zeus ?

    ReplyDelete
  8. But ATS can't work 'cus you need to enter a mTAN to confirm transaction,if you don't infect victim's phone you need to wait for him to try to transfer fund(because he will enter mTAN thinking he is going to do a transaciton to the right account but you hijack the process using MItM method so the funds will go to an other account whereas the vicitm thinks everything is ok(also you try to transfer more than the victim is trying to transfer so you're becoming rich and powerfull)

    ReplyDelete
  9. je suis d'accord avec le type d'en haut d'ailleur si on peut me confirmer ça

    ReplyDelete
  10. Hi, thanks for your work, whats the password of .7z files??

    ReplyDelete
  11. how actually find all .exe files or others files which zeusvm produce on pc, only with registry analysis or ...?

    ReplyDelete
  12. What I want to know is what was in that tar ball he uploaded to their server in the bottom screenshot lol

    ReplyDelete