We encountered another LICAT variant that is spreading via fake Internal Revenue Service (IRS) spam to people from specific organizations, including Trend Micro. As you may recall, LICAT is known for using the dynamic domain generation algorithm (DGA) technique.
The spammed message informs recipients about a certain issue with regard to their tax payments. It contains a link that supposedly leads to the recipients’ tax reviews. Once users click the link, they will be prompted to download an executable file, which, when executed, installs the malware now detected as TSPY_ZBOT.WHZ in their systems.
Like any other LICAT variant, TSPY_ZBOT.WHZ generates URLs using a computation based on the current date. TSPY_ZBOT.WHZ connects to dynamically generated URLs in order to download its configuration file, which contains information on the sites that it will monitor as well as on the site to which it will send stolen information. This malware also appears to concentrate on the typical ZBOT routines that involve information theft and uses the DGA technique to evade blocking by antivirus products.
Unfortunately, this is certainly not the last of LICAT malware. Fellow Trend Micro engineer Roland Dela Paz commented that after the ZeuS’s source code leakage, “we have been seeing the LICAT Gang’s (aka the ZeuS 126.96.36.199 Gang) persistence. So far, they are one, if not the only one, of the cybercriminal groups that are actually able to work with and to update the leaked source code. We should definitely keep an eye on the bad guys behind this. I don’t expect them to leave the cybercriminal scene anytime soon.”
Trend Micro engineer Jasper Manuel, commented that this may indeed be the case, as “uploaded LICAT-related binaries on ZeuS Tracker suggest that LICAT variants are coming from a specific cybercriminal gang. Most of the samples appear to have similar resources (file version information).” The LICAT Gang also appears to be seriously investing in ZeuS. Manuel observed that recent variants “have different structures in terms of decryption function so these can become more resilient from automated detection, which extracts decryption keys from infected systems’ memory. All things considered, it seems that we are already starting to see the consequences of the source code’s leakage.”
The Trend Micro™ Smart Protection Network™ provides users multilayered protection from this threat through the Email Reputation Technology, which prevents the spammed messages from reaching users’ inboxes; the Web Reputation Technology, which blocks access to all of the related malicious URLs, including domains that have been dynamically generated by the malicious file; and the File Reputation Technology, which detects and prevents TSPY_ZBOT.WHZ from executing.
For more information on LICAT and the DGA technique it uses, check out our white paper, “File-Patching ZBOT Variants: ZeuS 2.0 Levels Up.”