In a blog post last week, we shared the discovery of a relatively convincing browser warning whose "Download & Install" button leads to an infection by the infamous Zeus Trojan. After further research, it appears that the threat actor has been carrying out various phishing and malware campaigns using the same playbook and virtual base of operations for nearly a year, maybe longer. The cybercriminal has devised a unique variant of Zeus based off the source code of version 126.96.36.199.
Perpetrator and history of attacks
Based on several investigative findings by PhishLabs’ R.A.I.D. (Research, Analysis and Intelligence Division), it appears to be the work of a single individual rather than part of a larger operation or crew of hackers working together. It appears that the cybercriminal has built a malicious eco-system complete with phishing sites, PUPs or PUAs (potentially unwanted programs or applications), malware loaders, and of course, the Zeus banking Trojan.
Between January and March 2014, the attacker installed a string of malware downloads, botnet C2/config servers, and phishing sites used in various campaigns. Perhaps because of the blacklist status for that IP address, in April 2014, the attacker switched to a new IP address (188.8.131.52) allocated to the same network operator.
To get lures into the email inboxes of potential victims, the attacker used PHP mailer scripts and at least one spambot Trojan, known as Rodecap. The analyzed phishing kits appeared to target companies that are preloaded in the kit without much customization including various email providers Google, Microsoft, Yahoo!, and AOL as well as multiple major financial institutions. All campaigns had the same IP address (184.108.40.206) but used different domain names.
Distribution of the browser alert
In the case of the convincing browser alert used to spread the attacker's Zeus bot, emails were sent out to potential victims through email accounts compromised previously through phishing or spyware attacks. The lures for many of the attacks associated with this threat actor look very similar in the use of language, including typos and incorrect usage, lack of formatting, and included attachments. Below is an example of one of the lures used:
Figure 1. Phishing example directing victims to a malicious download.
The attachment in the phishing email is an HTML file, a copy of a relatively new, multi-brand email service phishing page designed to look like a login for Google Drive, insinuating the document that was the subject of the email was hosted online. Figure 2 shows a screen shot from the popular multi-brand phishing kit used by this attacker and many other scammers:
Figure 2. Popular multi-brand phishing kit designed to look like Google Drive.
It is important to note that to view a document that's been shared publicly via Google Drive, no login is required. Clicking any of the brands brings up a branded login box which will post any usernames and passwords entered directly to the phisher's email account. For example, if one clicks "Outlook" (some versions of this kit still use the old "hotmail.html" filename, even though the pages have been rebranded), one sees:
Figure 3. Fake login site where credentials are captured by the scammer.
The phishing page was designed to post the email address and passwords directly to the attacker. To add insult to injury, after stealing the email credentials, the victim is redirected to the "online document browser warning" message used in an attempt to install the Zeus Trojan onto their system.
Figure 4. Fake browser warning that leads to download of Zeus banking Trojan.
New variant of Zeus
This is a unique variant of Zeus. It's based off the source code to version 220.127.116.11 which was stolen and offered for sale in April 2014, then leaked to the public one month later. Some of the internal data structures have been changed possibly to accommodate a new feature's configuration data or also an attempt to thwart some of the automated Zeus analysis tools used by security companies and threat trackers.
The following information is specific to the version distributed using the fake browser warning above:
- The bot looks for new versions of itself at http://janmartinarkema.nl/g/30/bot.exe
- The bot downloads new configurations from http://janmartinarkema.nl/g/30/config.bin
- The bot posts stolen data and communicates with its C2 at http://janmartinarkema.nl/g/30/secure.php
Since the beginning of this campaign, janmartinarkema.nl has always resolved to the IP address 18.104.22.168, allocated to AS60781, LeaseWeb in the Netherlands. As of November 2014, the attacker no longer hosts the Zeus C2 server at the current domain name associated with his main IP address, perhaps because services like Zeus Tracker (abuse.ch) publish them fairly quickly, usually resulting in the registrar suspending the attacker's domain name, which limits the useful lifetime of phishing campaigns.
Default Zeus kit settings unchanged
The MITM (man-in-the-middle) webinjects capability for which Zeus became infamous does not appear customized in any way. The webinjects are nearly identical to the defaults shipped with many versions of the builder kit based on the leaked code. It includes a number of phishing entries for usernames, email addresses, passwords, TANs (transaction authorization numbers), and answers to security questions (like the cliché "What is your mother's maiden name?") at various online services and financial institutions in the US, Canada, UK, Spain, Germany, Italy, Russia, and India. Checking one of the security question sections shows that the referenced bank appears to no longer use any of those in the hardcoded list.
Another sign of age and neglect is the default webinject trigger for e‑gold.com, a precious metals-backed virtual currency service shut down by the US Government and virtually defunct since 2009. In fact, many of the URL patterns that trigger webinjects are no longer valid because of routine changes made by banks and others over several years.
Motives and tactics
What is this Zeus variant being used for if not the typical MITM attacks? It's more likely that the attacker is making use of some of the other Zeus features:
- Basic form-grabbing and credential theft
- Proxy (through which to route attack traffic and carry out fraud activity)
- Downloader to fetch and install additional malware
Even without leveraging webinjects like the larger cybercrime operations do, Zeus is still very sophisticated spyware and can be a robust foundation for a cybercriminal's operating infrastructure which can be used to takeover online accounts for email, banking, auction, retail, and payment services needed to monetize what the hacker has stolen.
One can locate the specific sample described here using this hash:
One can verify the information about targeting and webinjects given here by using the following RC4 encryption key to decrypt the configuration data:
3C DB 65 EB A6 26 1A 5D 8F 34 28 51 6D EC 5B E3
1B 85 FF 7B 61 A0 F6 4F F9 77 C3 A5 CB 0E E0 EF
F2 3E 66 52 44 10 C5 70 80 55 64 03 CD 19 8A C4
74 15 AA 40 D9 49 24 3F 41 97 75 56 23 04 B5 4C
FA 6B E8 DA 4A 0C 9F 8E 32 88 B6 2D 07 BE 29 3A
F7 0A A3 14 25 84 E7 F5 87 AF 5E D0 BA E9 93 39
30 47 92 F4 76 53 4E A8 B7 86 BC AE 7D DF 1D ED
AC 2F F0 0B C1 31 E5 37 91 50 B4 83 BB 82 67 BF
21 89 18 72 C7 2B D5 5F 33 CC 3B 5A 09 BD D3 9C
AD 35 B8 9D 60 7F 81 C9 B1 58 62 CA 36 B3 B9 F3
9B 1F 6F 90 1E 8C C0 78 D6 E4 13 D4 D1 68 79 EA
FE 02 69 1C 01 2A 20 0D 9E 6E 17 38 4B 48 42 43
99 73 59 06 DD 54 05 08 F1 8B 7E 12 C2 22 C6 EE
AB 7A 96 DC E6 2E A4 B2 CE 00 C8 0F E1 B0 7C 6A
A7 E2 5C 2C 3D A1 A2 57 6C 63 45 98 46 11 FD A9
8D DE 95 4D FC 27 16 94 9A D8 71 F8 FB D2 CF D7
The attacker obviously changes out domain names rather quickly to stay ahead of phishing and malware blocklists, many of which are based on domain name or URL because IP addresses can change. In this case, the IP address is relatively constant as 22.214.171.124 since April 2014, and the hostnames change instead. Luckily, the domains appear relatively quickly on sites like the abuse.ch Zeus Tracker. However, those are added after the attacks are underway, and only some organizations implement blocklists based on those types of sources. The fact that the IP address is allocated to a network in the U.S. likely helps the attacker bypass common GeoIP-based detection and blocking tactics as well.
What you should do about it?
Some suggestions that might help in cases associated with this threat:
- Implement a firewall rule that denies any traffic to and from the specific IP address.
- Implement blocking based on IP addresses, domain and host names, and URLs from trackers with high-confidence determinations of malicious activity, or make sure your security vendor's technology supports and uses this feature.
- Use the other general attack characteristics described here to flag email, attachments, and other communications as potentially malicious.
- Report suspected incidents, even if no one fell for the lure.
- Educate users about the scam and include the pictures of the phishing page and browser alert to help train them to recognize the signs of this attack visually.