How Spammers Are Filling the Gameover Zeus Void

Posted by Brendan Griffin

Mon, Jul 7, '14

Spammers are filling the gameover zeus voidSpammers are filling the Gameover Zeus void by deploying other malware varieties—many of which represent threats which have not previously utilized spam email as their vector for distribution.

Malcovery’s analysts identified one such threat on June 18, 2014. The new malware was distributed using a number of common spam email templates associated with the notorious Cutwail spamming botnet. The attacker also utilized a sophisticated attack vector by implementing a PDF document designed to silently download and install a botnet malware which was in turn used to distribute the new malware. This first botnet malware was deployed as a means to sneak any number of additional malware binaries through defenses and execute it within the already-infected environment.

The malware fetched by the PDF was from stat-bdm [dot] com /res/123.exe and communicated with a command and control at disk57 [dot] com, a malicious location noted by Malcovery two days earlier.  However, that first fetched malicious file was not the end of the infection trajectory. Instead, the attacker used it as a means to sneak one more malicious binary through defenses and execute it within the already-infected environment. 

This second file is what is most important to the attacker. All the effort put into evading detection is aimed at ensuring this malware makes its way onto victims’ machines. A lesson that can be learned from observing how malware distributors infect victims with malware is that they will always be most cautious with what is most important to them—the malware that will gain them the most reward for their effort: the payload. 

This super-important malware was a new banking trojan that makes use of the most dangerous functionalities used by other successful banking trojans but combined in a new way. This trojan demonstrated functionalities known to belong to the Papras malware as well as a suite of web injects which are reminiscent of a number of other banking trojans. These functionalities are stored in an encrypted binary file kept within the infected file system, rather than hiding them in less-accessible places.

The malware loaded this data into key processes such as web browsers and even the Windows File Explorer for easy access to private information as the user accesses it.  Browser hooking allowed the malware to deploy the credential-stealing content. This content allows the attacker to steal information from victims using “identity verification” phishing forms that are fraudulently added to webpages as victims log in to online banking services.  The malware also has the ability to collect passwords and other private information from applications installed on the infected machine and, disturbingly, provides evidence that it can give attackers VNC (“Virtual Network Computing”) access to infected machines.  VNC is a tool which gives attackers complete remote control of victims’ computers.

All of these—web injection with browser hooking, backdoor access to private information stored on the machine, and the use of a remote access tool to give attackers complete control of the victim’s machine—are common tools used by malware writers to give criminals access to our private information, but very rarely are they all bundled together in a multi-tool of cybercrime deviance.  At the time Malcovery identified this new Trojan, only a handful of antivirus vendors were marking this malware as hostile, and these detections relied mostly on non-specific heuristic detection signatures.

This malware was once again observed on July 2, 2014 using the domains memcda [dot] net and memcda [dot] com as command and control hosts for receiving information stolen from infected machines. The second of these domains was hosted on the IP address 146.185.233[.]150 which is shown using passive DNS to also be host to the domain dnakgk [dot] com [dot] tw. This domain was registered using the email address aster(at)gmail.com—an email address identified by CERT Luxembourg as the registrant for a number of other .com.tw domains used as command and control hosts for a malware identified as a variant of the Backdoor.Snifula malware—an information stealing trojan with a long and storied history.

This shared email address is an interesting aspect which may point to a connection between the actors being malware that would otherwise appear to be only tangentially related through similar indicators. Furthermore, it demonstrates another case in which threat intelligence can provide the context needed to better understand a dangerous emerging threat.

Only the malware writers know what is coming next. But Malcovery’s threat intelligence can give you the edge before it gets to you.

Topics: Malware

    

Subscribe to Email Updates