Case of Pony downloading ZeuS via Passworded Zip Attachment of Malvertisement Campaign

04 Jun 2013 Is a workdays so I can not post much so please bear with the below short analysis. But today I can't get rid of my curiosity when reading Mr. Conrad Longmore's newest post on Dynamoo Blog (nice report!) about the malvertisement with encrypted/passworded zip attachment (here's the link -->>[Dynamoo Blog]).
I got lucky to have the similar sample by today's date in my honeypot as per following snapshot and just can't help to take a look into it..

The email header shows the spambot signatures:

Date: Mon, 3 Jun 2013 09:45:57 -0800
From: "Fiserv Secure Notification" 
User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1"
MIME-Version: 1.0

And the passworded archive as attachment like the below snapshot:

And by filling the provided information will lead you to the sample here-->>[VirusTotal]
This time it looks like Virus Total was making limited behavior analysis on the sample so I decided to check it myself.

I renamed the malicious attachment with the filename sample2.exe and runs it, as per seen in the decrypt binary code it connected to the below pony gateways:

h00p://116.122.158.195:8080/ponyb/gate.php
h00p://nourrirnotremonde.org/ponyb/gate.php
h00p://zoecopenhagen.com/ponyb/gate.php
h00p://goldenstatewealth.com/ponyb/gate.php

OK, is a pony trojan, a credential stealer & downloader. It downloaded other malwares from th ebelow url set (gotta hack the bins to know these too), later on I know is Zbot:

h00p://www.netnet-viaggi.it/2L6L.exe
h00p://190.147.81.28/yqRSQ.exe
h00p://paulcblake.com/ngY.exe
h00p://207.204.5.170/PXVYGJx.exe

The processes after downloading is becoming like:

With some successful downloaded logs I recorded (for evidence purpose):

--2013-06-04 17:40:46--  h00p://190.147.81.28/yqRSQ.exe
Connecting to 190.147.81.28:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 305664 (299K) [application/x-msdownload]
Saving to: `yqRSQ.exe'
100%[=====================>] 305,664     95.4K/s   in 3.1s
2013-06-04 17:40:51 (95.4 KB/s) - `yqRSQ.exe' saved [305664/305664]

--2013-06-04 17:40:59--  h00p://paulcblake.com/ngY.exe
Resolving paulcblake.com... 74.54.147.146
Connecting to paulcblake.com|74.54.147.146|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 305664 (299K) [application/x-msdownload]
Saving to: `ngY.exe'
100%[=====================>] 305,664      144K/s   in 2.1s
2013-06-04 17:41:02 (144 KB/s) - `ngY.exe' saved [305664/305664]

--2013-06-04 17:41:15--  h00p://207.204.5.170/PXVYGJx.exe
Connecting to 207.204.5.170:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 305664 (299K) [application/x-msdownload]
Saving to: `PXVYGJx.exe'
100%[=====================>] 305,664      109K/s   in 2.7s
2013-06-04 17:41:18 (109 KB/s) - `PXVYGJx.exe' saved [305664/305664]

And then the daemonized of pony malware started:

You'll see the self-copied traces on the original malware (pony) and the downloaded one saved in the %Temp% and %AppData% as per below snapshot, noted the randomized in file names and the fake dates:

So we have actually two malwares in this case, the attached file is ZeuS-based PWS/pony botnet agent which downloading the trojan PWS/Stealer. Let's break it down one by one.

The Pony

The binary is compressed by aPLib v1.01, traces is here:

aPLib v1.01  -  the smaller the better :)
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
More information: http://www.ibsensoftware.com/

It checked some basic info on your system "System Data.."

GetNativeSystemInfo
IsWow64Process
HWID

"... and User's Data"
My Documents
AppData
Local AppData
Cache
Cookies
History
My Documents
Common AppData
My Pictures
Common Documents
Common Administrative Tools
Administrative Tools
Personal
[...]

Then tried to grab your FTP Softwares, Browsers, Email, Terminal server, File sharing credential data like as per I pasted in pastebin here -->>[Pastebin]

Even attempt on accessing the facebook related data。The code was readable :-)

xthpt/:w/wwf.cabeoo.koc/m
// Means:
http://www.facebook.com/

HTTP/1.0 POST communication's header decoded:

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: %lu
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: %s
Content-Length:
Location:

HTTP/1,0 GET communication's header coded:

GET %s HTTP/1.0
Host: %s
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: %s

String for logins :-)

diamond        jason          scooby         thomas     maxwell        whatever       cheese         asdf    
hope           internet       joseph         blink182   justin         god            sunshine       banana  
maggie         mustdie        genesis        jasmine    james          password       christ         gates   
maverick       john           forum          purple     chicken        blessing       soccer         flower  
online         letmein        emmanuel       test       danielle       snoopy         qwerty1        taylor  
spirit         mike           cassie         angels     iloveyou2      1q2w3e4r       friend         lovely  
george         knight         victory        grace      fuckoff        cookie         summer         hannah  
friends        jordan23       passw0rd       hello      prince         chelsea        merlin         princess
dallas         abc123         foobar         poop       junior         pokemon        phpbb          compaq  
adidas         red123         ilovegod       blessed    rainbow        hahaha         jordan         jennifer
1q2w3e         praise         nathan         heaven     fuckyou1       aaaaaa         saved          myspace1
orange         freedom        blabla         hunter     nintendo       hardcore       dexter         smokey  
testtest       jesus1         digital        pepper     peanut         shadow         viper          matthew 
asshole        london         peaches        john316    none           welcome        winner         harley  
apple          computer       football1      cool       church         mustang        sparky         rotimi  
biteme         microsoft      power          buster     bubbles        bailey         windows        fuckyou 
william        muffin         thunder        andrew     robert         blahblah       123abc         soccer1 
mickey         qwert          gateway        faith      destiny        matrix         lucky          single  
asdfgh         mother         iloveyou!      ginger     loving         jessica        anthony        joshua  
wisdom         master         football       hockey     gfhjkm         stella         jesus          green   
batman         qazwsx         tigger         hello1     mylove         benjamin       ghbdtn         123qwe  
michelle       samuel         corvette       angel1     jasper         testing        admin          starwars
david          canada         angel          superman   hallo          secret         hotdog         love    
eminem         slayer         killer         enter      cocacola       trinity        baseball       silver  
scooter        rachel         creative       daniel     helpme         richard        password1      austin  
asdfasdf       onelove        google         forever    nicole         peace          dragon         michael 
sammy          qwerty         zxcvbnm        nothing    guitar         shalom         trustno1       amanda  
baby           prayer         startrek       dakota     billgates      monkey         chris          charlie 
samantha       iloveyou1      ashley         kitten     looking        iloveyou       happy          bandit  

Malicious WSA base botnets calls used:

Client Hash
STATUS-IMPORT-OK
gethostbyname
socket
connect
closesocket
send
select
recv
setsockopt

Some PoC of request vs response of this binary's networking:

The Stealer is... Trojan ZeuS Botnet Agent (Zbot)

I analyzed sample like this in the recent popular malvertisement campaign like I pasted it here -->>[Pastebin]. This one is one of the kind, with the below highlights:

Process injection target:

launchpadshell.exe
dirclt32.exe
wtng.exe
prologue.exe
pcsws.exe
fdmaster.exe

Usual strings:

bancline
fidelity
micrsolv
bankman
vantiv
episys
jack henry
cruisenet
gplusmain

Encoding ROT traces:

abcdefghijklmnopqrstuvwxyz
^_`abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
|$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~

Botnet connectivity by HTTP/1.1, also as per previous sample's has:

GET
HTTP/1.1
Connection: Close
Authorization
Basic 
GET 
POST 
div
script
nbsp;
connection
proxy-connection
content-length
transfer-encoding
upgrade
chunked
keep-alive
close

Botnet commands:

DELETE
HEAD
PUT
CONNECT
OPTIONS
TRACE
COPY
LOCK
MKCOL
MOVE
PROPFIND
PROPPATCH
SEARCH
UNLOCK
REPORT
MKACTIVITY
CHECKOUT
MERGE
M-SEARCH
NOTIFY
SUBSCRIBE
UNSUBSCRIBE
PATCH
PURGE

Here's the VT's detection ratio for the zbot, is too darn low:
URL is here -->>[VirusTotal]

SHA256:40b4fa7433319d2b4d2fc8e8265547665e6492d3d64d0ecc2b30108b8d732a1c
SHA1: 4f3fda6c688c11a2a15bf88fb1ff005dc0045324
MD5: aa8463f91cd44a436d2468b33c2cafbb
File size: 298.5 KB ( 305664 bytes )
File name: PXVYGJx.exe
File type: Win32 EXE
Tags: peexe
Detection ratio: 2 / 47
Analysis date: 2013-06-04 08:46:46 UTC ( 2 hours, 55 minutes ago )

Fortinet                 : W32/Kryptik.AGAJ!tr
McAfee-GW-Edition        : Heuristic.LooksLike.Win32.Suspicious.B

Overall Network Analysis (To aim CnC)

A set of this infection will make an outbound traffic like this:
Which is showing the Zbot trojan downloader hosts below:

With the unique DNS requests as below:

Incoming UDP via local port 25916 are detected from below IP:

81.133.189.232
95.234.169.221
211.209.241.213
63.85.81.254
108.215.44.142
142.136.161.103

PoC:

These are the source information:
Additionally, this is how our data got sent to the pony panels:

Samples

The sample is shared for the research purpose and raising the detection ratio.

Download is here -->>[MediaFire]

Additional

Another Zeus P2P (79e5ee6dd3bedc56adf1c7590a9487b5) dropped by 0abc65c2be51b33d479c05b10fc10586 (cc @malwaremustdie) twitter.com/Jipe_/status/3…

— Jean-Philippe (@Jipe_) June 5, 2013

#MalwareMustDie!