In the past, we reported about the emergence of malware based on the leaked ZeuS code such as Ice IX and ZeuS 220.127.116.11. The usage of the leaked code continued on since then and has resulted in attacks such as the one I’m about to share on.
My colleagues and I have been monitoring another new ZeuS version since the latter part of September, one that we believe is also based on the leaked ZeuS source code. Although this new ZeuS variant seems to have no reference in its code as to its version number, we believe it was developed by the same gang behind LICAT.
This new version, which Trend Micro detects as TSPY_ZBOT.SMQH, spread around late September through spam that claimed to be from the Australian Taxation Office (ATO). The spammed messages contained a malicious link that when clicked directed users to a malicious website that served the BlackHole Exploit Kit. The exploit kit, in turn, downloads a variant of the new ZeuS version.
Unlike earlier ZeuS versions that used HTTP to download the configuration file, this version opens a random UDP port and accesses a hardcoded list of IP addresses to download the configuration file.