A few days back, we were notified of a targeted attack on the editorial staff of a prestigious online publication. It was indeed impressive how well aware and vigilant the intended ‘victims’ of the attack were to detect the anomalies in the phishing email sent out. However, all it takes is one innocent click from the unsuspecting users to get infected by such targeted phishing emails. The chances of infection with the malware sample we received were very high as traditional AV had low detection rates at the time of attack.
It should be noted that targeting key people in the publishing industry has been on a rise from attackers; the most recent being the New York Times attack.
We were able to confirm immediately that the attack was using the infamous Zeus Trojan. The Zeus Trojan is already well known to have many sophisticated ‘features’, hence we decided to cover some of the aspects that are not discussed widely.
Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size: 16896 Bytes
Compiled: Sep 06 2013
MD5 = cb9cc726fc2e79877ac9d6d79ceb2ef3
SHA256 = 6fcd54235ec7883cd551d9f8b043d5b9ce82832e0e476c8b2c4a79e5f228eb30
Dropper and Obfuscation
The dropper uses an interesting obfuscation method. The file does not look suspicious at first sight. For example its entropy is within normal ranges:
Secondly, it uses windows messages to control the workflow, viz it registers the windows class and defines its procedure, which then sends messages to itself and the id of the subsequent command passed as an argument. The algorithm and its implementation were developed to confuse the heuristic scanners of in antivirus engines.
The de-obfuscation workflow can be expressed as follows:
The second dropper uses the same message-based de-obfuscation routine, however the entropy of the file looks more suspicious:
The high entropy area on the right corresponds to a PNG resource, which withholds the final executable. The latter never lands on the victim’s hard drive and operates within RAM. Moreover its PE header is mangled so dumping and analyzing it with such tools as IDA Pro is tricky.
The final executable deploys a lot of obfuscation tricks to confuse analysis tools and reverse engineers. The workflow is defined as a sequence of internal commands (represented by integer values) that are stored in global arrays. This picture illustrates the way our sample’s operation is organized:
A command sequence is passed as an argument to the ProcessCommands function, which jumps to the corresponding case of the switch statement. The program uses the __fastcall convention and the first two arguments are passed via registers.
Apart from control flow confusion the sample keeps all the crucial data obfuscated and decodes it only when needed. The string de-obfuscation algorithm looks like this:
The strings are kept in the array of 8-byte structures, where 4 bytes is an obfuscated string pointer, 2 bytes its length and 2 bytes – the XOR key (in fact only the first byte is used, the second is always 0).
Process Injection and Persistence
Targets for the process injection are the same as in the previous modifications of Zeus:
The malware adds itself to the following registry key: Software\Microsoft\Windows\CurrentVersion\Run
The program searches for the following extensions:
- .sol (steals cookie from Adobe Flash local shared object)
The following mail clients are checked:
- Outlook Express
- Windows Mail
The malware also gets access to the contact lists which are supposedly used for social engineering based propagation.
Web data is stolen via winnet.dll, chrome.dll and nspr4.dll hooks, allowing the malware to scrape form data and cookies. Login credentials of various protocols (such as POP3 and FTP) are intercepted.
Certificates are stolen using Windows API calls such as CertDuplicateCertificateContext , and PFXExportCertStoreEx. It uses the “pass” string as the password to access the certificate storage.
Traditionally Zeus collects information corresponding to a number of financial/banking programs. Strings corresponding to the names of target processes are shown in Table 1.
Table 1 – Targeted software
|tellerplus||FIS TellerPlus||An on-line teller system based on client/server architecture (http://www.fisglobal.com/products-core-coreaccountprocessing-bancpac).|
|bancline||FIS BancLine||Account processing system, includes retail and branch automation systems, document imaging and so forth. (http://www.fisglobal.com/products-core-coreaccountprocessing-bancline).|
|fidelity||Fidelity||Online trading software (https://www.fidelity.com/).|
|bankman||Sysman Bankman||Bank branch information system (http://www.sysman.org/bankman.htm).|
|episys||The Episys Enterprise Communication Suite||Software for retail, banking, manufacturing, logistics etc. (http://www.episys.com/).|
|jack henry||Jack Henry banking solutions||Banking software (http://www.jackhenrybanking.com/).|
|cruisenet||Jack Henry cruisenet||Part of Jack Henry baking solutions|
|Fiserv Director||Software suite for document management, workflow coordination etc. (http://www.premier.fiserv.com/products/overview/ovr_premierdirector.htm).|
|Fiserv Prologue software||Software for financial accounting (http://www.riskandperformance.fiserv.com/FinancialAccounting.aspx?mnu_id=1).|
|silverlake||Jack Henry Silver Lake||Banking platform (http://www.jackhenrybanking.com/core-solutions/pages/silverlake-system.aspx).|
The stolen data is sent via the C&C using HTTP protocol.
Targeted phishing attacks like these are designed to thrive on user mistakes. As evident from the analysis above, Zeus particularly has been designed to bypass Anti-Virus and other signature based detection technologies. It should also be noted that this attack was targeted to popular banking software and browsers/email clients to exfiltrate data from the victims.
We continue to monitor these and we’ll update our readers as we come across more interesting malware in the wild.
- Zeus Banking Trojan Report http://www.secureworks.com/cyber-threat-intelligence/threats/zeus/
- Malware analysis: Citadel http://seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf
- Zeus V2 Malware Analysis – Part I http://sysforensics.org/2012/03/zeus-v2-malware-analysis-part-i.html
- Case of Pony downloading ZeuS via Passworded Zip Attachment of Malvertisement Campaign http://malwaremustdie.blogspot.ru/2013/06/case-of-pony-downloaded-zeus-via.html
- How Attackers Steal Private Keys from Digital Certificates http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates