In the past, we reported about the emergence of malware based on the leaked ZeuS code such as Ice IX and ZeuS 2.3.2.0. The usage of the leaked code continued on since then and has resulted in attacks such as the one I’m about to share on.

My colleagues and I have been monitoring another new ZeuS version since the latter part of September, one that we believe is also based on the leaked ZeuS source code. Although this new ZeuS variant seems to have no reference in its code as to its version number, we believe it was developed by the same gang behind LICAT.

This new version, which Trend Micro detects as TSPY_ZBOT.SMQH, spread around late September through spam that claimed to be from the Australian Taxation Office (ATO). The spammed messages contained a malicious link that when clicked directed users to a malicious website that served the BlackHole Exploit Kit. The exploit kit, in turn, downloads a variant of the new ZeuS version.

Unlike earlier ZeuS versions that used HTTP to download the configuration file, this version opens a random UDP port and accesses a hardcoded list of IP addresses to download the configuration file.

TSPY_ZBOT.SMQH establishes a connection with the server by sending encrypted data that contains the bot ID and a stream of characters. Each IP address in the hardcoded list has a corresponding stream of characters that the server seems to check to validate the communication.

If any of the IP addresses is alive, it will reply with the encrypted configuration file via TCP.

Decrypting the Configuration File

Once the configuration file is downloaded, TSPY_ZBOT.SMQH will employ the following decryption algorithm for its configuration file:

As we can see, unlike ZeuS 2.3.2.0, which uses Advanced Encryption Standard (AES), the decryption algorithm did not change much compared with the modified ZeuS 2, which uses RC4.

As I mentioned earlier, like LICAT and ZeuS 2.3.2.0, this new variant also seems to be crafted by a private professional gang, probably the same ones who created LICAT or who may be affiliated with them at the very least. In fact, the configuration file for TSPY_ZBOT.SMQH has the same format as that of the configuration file of LICAT.

Although the spammed messages only targeted Australian users, the contents of the decrypted configuration file suggest that it may be used in a global campaign, including runs in the United States as well as in European and Asian countries.

We will continuously monitor this threat and other variants that will emerge in the future.

Thanks to Mark Dixon of Westpac Bank of Australia for providing samples of the related malware and spam.