In the past, we’ve reported about malware based on the leaked ZeuS code, such as Ice IX, and ZeuS 18.104.22.168, and this usage of the leaked code has continued on since then, and has resulted to attacks such as the one I’m about to share.
My colleagues and I have been monitoring another new version of ZeuS since the late September, one that we believe is also based on the leaked ZeuS source code. Although this new ZeuS variant seems to have no reference on its code of its version number, we believe it was developed by the same criminals behind LICAT.
This new version, detected as TSPY_ZBOT.SMQH spread around late September through spam that claims to be from ATO (Australian Taxation Office). The spammed messages contain a malicious link, which when clicked directs users to a malicious website that serves the BlackHole exploit kit. The exploit kit, in turn, downloads a variant of this new ZeuS version.
Unlike earlier ZeuS versions that use HTTP to download its configuration file, this version opens a random UDP port and connects to a hardcoded list of IP addresses to download its configuration file.
TSPY_ZBOT.SMQH establishes connection with the server by sending encrypted data which contains the bot ID and a stream of characters. Each IP address in the hardcoded has a corresponding stream of characters which the server seems to check to validate the communication.
If any of the IP addresses is alive, it will reply with the encrypted configuration file via TCP.
Decrypting the Configuration File
Once the configuration file is downloaded, TSPY_ZBOT.SMQH will employ the following decryption algorithm for its configuration file:
As we can see, unlike ZeuS 22.214.171.124 which uses Advanced Encryption Standard (AES), the decryption algorithm did not change much compared to the modified ZeuS 2, which uses RC4.
As I mentioned earlier, like LICAT and ZeuS 126.96.36.199, this new variant also seems to be crafted by a private professional gang, probably the same creators of LICAT, or affiliated with them at least. In fact, the configuration file for TSPY_ZBOT.SMQH has the same format as that of the configuration file of LICAT.
Although the spammed messages only target Australian users, the contents of the decrypted configuration file suggest that it may be used in a global campaign, including the United States, European, and even Asian countries.
We will continuously monitor this threat and other variants that will emerge in the future.
Thanks to Mark Dixon of Westpac Bank of Australia for providing samples of the related malware and spam.
Leave a reply