With ZeuS’s source code leakage, we expected more cybercriminals to craft their own HTTP-controlled bots based on ZeuS.
Last week, we started to see the first generation of modified ZeuS variants called Ice IX, based on the said source code. According to the seller’s post on underground forums, one of Ice IX’s main selling points is protection from trackers. Its configuration file cannot be downloaded and analyzed if the request is not from the bot as well although this was not the case.
We recently received another updated variant detected as TSPY_ZBOT.IMQU that we can say belongs to this new generation of ZeuS variants. From its code, this sample is possibly generated by ZeuS version 18.104.22.168.
We believe this is a private version of a modified ZeuS version created by a private professional gang comparable to that responsible for LICAT. Even though we have yet to see someone sell this new toolkit version on underground forums, we expect to see more similar variants in the not-so-distant future.
Unlike Ice IX, this version proved that current trackers may fail to decrypt its configuration file due to its updated encryption/decryption routine. The download method used for the configuration file is similar to ZeuS 2.o variants but this variant does not use RC4 encryption algorithm. Instead, it uses an updated encryption/decryption algorithm that we are still in the process of analyzing.
The builder of earlier ZeuS 2.0 versions has the capability to check bot information and to uninstall bots.
The builder does this by calling the hooked API GetFileAttributesExW. If a system has been infected by ZeuS, calling this API via a specific parameter returns bot information, which includes the bot’s name and version as well as a pointer to a function that will uninstall the bot.
Antivirus software may utilize this function to identify ZeuS bot information and to automatically clean ZeuS infections. However, this new ZeuS version also updated this functionality and removed the pointer to the bot uninstall function, thus eliminating opportunities for antivirus software to utilize this function.
It is also worth mentioning that this malware targets a wide selection of financial firms, including those in the United States, Spain, Brazil, Germany, Belgium, France, Italy, Ireland, etc. More interestingly, it targets HSBC Hong Kong, which suggests that this new ZeuS variant may be used in a global campaign, including Asian countries.
The emergence of these latest ZeuS variants clearly implies that ZeuS is still a very profitable piece of malware and that cybercriminals are continuously investing in the leaked source code. As always, we will continuously monitor this threat.
Thanks to Threat Research Manager Ivan Macalintal for initially bringing this new ZeuS variant to our attention.
Additional text from Roland Dela Paz