The Latest in IT Security

We have encountered another LICAT variant that is being spread via fake IRS spam to people under specific organizations, including Trend Micro. As you may recall, LICAT is known for its use of dynamic domain generation algorithm (DGA) technique.

In the spammed message, recipients are informed of an issue regarding their tax payment. The message contains a link that supposedly leads to the recipient’s tax review. Once the user clicks on the link, they will be prompted to download an executable file, which when executed installs the malware — now detected as TSPY_ZBOT.WHZ — into their system.

Like any LICAT variant, TSPY_ZBOT.WHZ generates URLs using a computation based on the current date. TSPY_ZBOT.WHZ connects to the dynamically generated URLs in order to download its configuration file, which contains information on the websites it will monitor, as well as the site where it will send any stolen information. This malware also appears to concentrate on the typical ZBOT routines that involve information theft, and uses the DGA technique to evade blocking by antivirus products.

Unfortunately, this is certainly not the last of LICAT malware. Fellow Trend Micro engineer Roland dela Paz commented that after the ZeuS source code leaked, “we have been seeing the LICAT Gang (otherwise known as the ZeuS 2.1.0.10 Gang) to be persistent in their malicious operations. So far, they are one, if not the only one, of the cybercriminal groups that are actually able to work with and update the leaked source code. The bad guys behind this are definitely something to keep an eye on. I do not expect them to leave the cybercrime scene any time soon.”

Trend Micro engineer Jasper Manuel, commented that this may be the case, as “uploaded LICAT-related binaries on ZeuS Tracker suggest that Licat variants are indeed coming from a specific criminal cybergang. Most samples appear to have similar resources (file version information).” The LICAT gang also appears to be investing seriously on ZeuS. Manuel observed that recent variants “have different structure in its decryption function to become resilient from automation, which extracts decryption keys from an infected memory. All things considered, it seems that we are already starting to see the consequences of the leaked source code.”

The Trend Micro Smart Protection Network provides users multi-layered protection from this threat through the Email Reputation Service, which blocks the spam messages, the Web Reputation Service, which blocks all the malicious URLs (including those domains dynamically generated by the malicious file), and the File Reputation Service, which detects TSPY_ZBOT.WHZ.

For more information on LICAT, and the domain generation technique that was used by this ZBOT variant, you can check our white paper, File-Patching ZBOT Variants: ZeuS 2.0 Levels Up.