We have encountered another LICAT variant that is being spread via fake IRS spam to people under specific organizations, including Trend Micro. As you may recall, LICAT is known for its use of dynamic domain generation algorithm (DGA) technique.
In the spammed message, recipients are informed of an issue regarding their tax payment. The message contains a link that supposedly leads to the recipient’s tax review. Once the user clicks on the link, they will be prompted to download an executable file, which when executed installs the malware — now detected as TSPY_ZBOT.WHZ — into their system.
Unfortunately, this is certainly not the last of LICAT malware. Fellow Trend Micro engineer Roland dela Paz commented that after the ZeuS source code leaked, “we have been seeing the LICAT Gang (otherwise known as the ZeuS 18.104.22.168 Gang) to be persistent in their malicious operations. So far, they are one, if not the only one, of the cybercriminal groups that are actually able to work with and update the leaked source code. The bad guys behind this are definitely something to keep an eye on. I do not expect them to leave the cybercrime scene any time soon.”
Trend Micro engineer Jasper Manuel, commented that this may be the case, as “uploaded LICAT-related binaries on ZeuS Tracker suggest that Licat variants are indeed coming from a specific criminal cybergang. Most samples appear to have similar resources (file version information).” The LICAT gang also appears to be investing seriously on ZeuS. Manuel observed that recent variants “have different structure in its decryption function to become resilient from automation, which extracts decryption keys from an infected memory. All things considered, it seems that we are already starting to see the consequences of the leaked source code.”
The Trend Micro Smart Protection Network provides users multi-layered protection from this threat through the Email Reputation Service, which blocks the spam messages, the Web Reputation Service, which blocks all the malicious URLs (including those domains dynamically generated by the malicious file), and the File Reputation Service, which detects TSPY_ZBOT.WHZ.
For more information on LICAT, and the domain generation technique that was used by this ZBOT variant, you can check our white paper, File-Patching ZBOT Variants: ZeuS 2.0 Levels Up.
Leave a reply