Case of Pony downloading ZeuS via Passworded Zip Attachment of Malvertisement Campaign
04 Jun 2013 Is a workdays so I can not post much so please bear with the below short analysis. But today I can't get rid of my curiosity when reading Mr. Conrad Longmore's newest post on Dynamoo Blog (nice report!) about the malvertisement with encrypted/passworded zip attachment (here's the link -->>[Dynamoo Blog]).I got lucky to have the similar sample by today's date in my honeypot as per following snapshot and just can't help to take a look into it..
The email header shows the spambot signatures:
Date: Mon, 3 Jun 2013 09:45:57 -0800And the passworded archive as attachment like the below snapshot:
From: "Fiserv Secure Notification"
User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1"
MIME-Version: 1.0
And by filling the provided information will lead you to the sample here-->>[VirusTotal]
This time it looks like Virus Total was making limited behavior analysis on the sample so I decided to check it myself.
I renamed the malicious attachment with the filename sample2.exe and runs it, as per seen in the decrypt binary code it connected to the below pony gateways:
h00p://116.122.158.195:8080/ponyb/gate.phpOK, is a pony trojan, a credential stealer & downloader. It downloaded other malwares from th ebelow url set (gotta hack the bins to know these too), later on I know is Zbot:
h00p://nourrirnotremonde.org/ponyb/gate.php
h00p://zoecopenhagen.com/ponyb/gate.php
h00p://goldenstatewealth.com/ponyb/gate.php
h00p://www.netnet-viaggi.it/2L6L.exeThe processes after downloading is becoming like:
h00p://190.147.81.28/yqRSQ.exe
h00p://paulcblake.com/ngY.exe
h00p://207.204.5.170/PXVYGJx.exe
With some successful downloaded logs I recorded (for evidence purpose):
--2013-06-04 17:40:46-- h00p://190.147.81.28/yqRSQ.exeAnd then the daemonized of pony malware started:
Connecting to 190.147.81.28:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 305664 (299K) [application/x-msdownload]
Saving to: `yqRSQ.exe'
100%[=====================>] 305,664 95.4K/s in 3.1s
2013-06-04 17:40:51 (95.4 KB/s) - `yqRSQ.exe' saved [305664/305664]
--2013-06-04 17:40:59-- h00p://paulcblake.com/ngY.exe
Resolving paulcblake.com... 74.54.147.146
Connecting to paulcblake.com|74.54.147.146|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 305664 (299K) [application/x-msdownload]
Saving to: `ngY.exe'
100%[=====================>] 305,664 144K/s in 2.1s
2013-06-04 17:41:02 (144 KB/s) - `ngY.exe' saved [305664/305664]
--2013-06-04 17:41:15-- h00p://207.204.5.170/PXVYGJx.exe
Connecting to 207.204.5.170:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 305664 (299K) [application/x-msdownload]
Saving to: `PXVYGJx.exe'
100%[=====================>] 305,664 109K/s in 2.7s
2013-06-04 17:41:18 (109 KB/s) - `PXVYGJx.exe' saved [305664/305664]
You'll see the self-copied traces on the original malware (pony) and the downloaded one saved in the %Temp% and %AppData% as per below snapshot, noted the randomized in file names and the fake dates:
So we have actually two malwares in this case, the attached file is ZeuS-based PWS/pony botnet agent which downloading the trojan PWS/Stealer. Let's break it down one by one.
The Pony
The binary is compressed by aPLib v1.01, traces is here:
aPLib v1.01 - the smaller the better :)It checked some basic info on your system "System Data.."
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
More information: http://www.ibsensoftware.com/
GetNativeSystemInfoThen tried to grab your FTP Softwares, Browsers, Email, Terminal server, File sharing credential data like as per I pasted in pastebin here -->>[Pastebin]
IsWow64Process
HWID
"... and User's Data"
My Documents
AppData
Local AppData
Cache
Cookies
History
My Documents
Common AppData
My Pictures
Common Documents
Common Administrative Tools
Administrative Tools
Personal
[...]
Even attempt on accessing the facebook related data。The code was readable :-)
xthpt/:w/wwf.cabeoo.koc/mHTTP/1.0 POST communication's header decoded:
// Means:
http://www.facebook.com/
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)HTTP/1,0 GET communication's header coded:
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: %lu
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: %s
Content-Length:
Location:
GET %s HTTP/1.0String for logins :-)
Host: %s
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: %s
diamond jason scooby thomas maxwell whatever cheese asdfMalicious WSA base botnets calls used:
hope internet joseph blink182 justin god sunshine banana
maggie mustdie genesis jasmine james password christ gates
maverick john forum purple chicken blessing soccer flower
online letmein emmanuel test danielle snoopy qwerty1 taylor
spirit mike cassie angels iloveyou2 1q2w3e4r friend lovely
george knight victory grace fuckoff cookie summer hannah
friends jordan23 passw0rd hello prince chelsea merlin princess
dallas abc123 foobar poop junior pokemon phpbb compaq
adidas red123 ilovegod blessed rainbow hahaha jordan jennifer
1q2w3e praise nathan heaven fuckyou1 aaaaaa saved myspace1
orange freedom blabla hunter nintendo hardcore dexter smokey
testtest jesus1 digital pepper peanut shadow viper matthew
asshole london peaches john316 none welcome winner harley
apple computer football1 cool church mustang sparky rotimi
biteme microsoft power buster bubbles bailey windows fuckyou
william muffin thunder andrew robert blahblah 123abc soccer1
mickey qwert gateway faith destiny matrix lucky single
asdfgh mother iloveyou! ginger loving jessica anthony joshua
wisdom master football hockey gfhjkm stella jesus green
batman qazwsx tigger hello1 mylove benjamin ghbdtn 123qwe
michelle samuel corvette angel1 jasper testing admin starwars
david canada angel superman hallo secret hotdog love
eminem slayer killer enter cocacola trinity baseball silver
scooter rachel creative daniel helpme richard password1 austin
asdfasdf onelove google forever nicole peace dragon michael
sammy qwerty zxcvbnm nothing guitar shalom trustno1 amanda
baby prayer startrek dakota billgates monkey chris charlie
samantha iloveyou1 ashley kitten looking iloveyou happy bandit
Some PoC of request vs response of this binary's networking:
Client Hash
STATUS-IMPORT-OK
gethostbyname
socket
connect
closesocket
send
select
recv
setsockopt
The Stealer is... Trojan ZeuS Botnet Agent (Zbot)
I analyzed sample like this in the recent popular malvertisement campaign like I pasted it here -->>[Pastebin]. This one is one of the kind, with the below highlights:
Process injection target:
Usual strings:
launchpadshell.exe
dirclt32.exe
wtng.exe
prologue.exe
pcsws.exe
fdmaster.exe
Encoding ROT traces:
bancline
fidelity
micrsolv
bankman
vantiv
episys
jack henry
cruisenet
gplusmain
abcdefghijklmnopqrstuvwxyzBotnet connectivity by HTTP/1.1, also as per previous sample's has:
^_`abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
|$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
GETBotnet commands:
HTTP/1.1
Connection: Close
Authorization
Basic
GET
POST
div
script
nbsp;
connection
proxy-connection
content-length
transfer-encoding
upgrade
chunked
keep-alive
close
Here's the VT's detection ratio for the zbot, is too darn low:
DELETE
HEAD
PUT
CONNECT
OPTIONS
TRACE
COPY
LOCK
MKCOL
MOVE
PROPFIND
PROPPATCH
SEARCH
UNLOCK
REPORT
MKACTIVITY
CHECKOUT
MERGE
M-SEARCH
NOTIFY
SUBSCRIBE
UNSUBSCRIBE
PATCH
PURGE
URL is here -->>[VirusTotal]
SHA256:40b4fa7433319d2b4d2fc8e8265547665e6492d3d64d0ecc2b30108b8d732a1c
SHA1: 4f3fda6c688c11a2a15bf88fb1ff005dc0045324
MD5: aa8463f91cd44a436d2468b33c2cafbb
File size: 298.5 KB ( 305664 bytes )
File name: PXVYGJx.exe
File type: Win32 EXE
Tags: peexe
Detection ratio: 2 / 47
Analysis date: 2013-06-04 08:46:46 UTC ( 2 hours, 55 minutes ago )
Fortinet : W32/Kryptik.AGAJ!tr
McAfee-GW-Edition : Heuristic.LooksLike.Win32.Suspicious.B
Overall Network Analysis (To aim CnC)
A set of this infection will make an outbound traffic like this:
Which is showing the Zbot trojan downloader hosts below:
With the unique DNS requests as below:
Incoming UDP via local port 25916 are detected from below IP:
81.133.189.232PoC:
95.234.169.221
211.209.241.213
63.85.81.254
108.215.44.142
142.136.161.103
These are the source information:
Additionally, this is how our data got sent to the pony panels:
Samples
The sample is shared for the research purpose and raising the detection ratio.
Download is here -->>[MediaFire]
Additional
Another Zeus P2P (79e5ee6dd3bedc56adf1c7590a9487b5) dropped by 0abc65c2be51b33d479c05b10fc10586 (cc @malwaremustdie) twitter.com/Jipe_/status/3…
— Jean-Philippe (@Jipe_) June 5, 2013
#MalwareMustDie!