Exposing the "depth camouflage" of the Zeus Network Silver Horse

Recently , I received a phishing e-mail with a. doc attachment attached. We use the usual tools of the notepad++, Step-by-step off the ZeuS Trojan camouflage cloak, and carried out a very deep static analysis. The Trojan's camouflage used a number of key technologies, such as information hiding, encryption and decryption.

The Trojan will be based on the different names of their own many different malicious behavior, tested, the current domestic variety anti-virus software not yet the virus, multiple Trojan variants MD5 is added to the whitelist by a variety of security software, causing active defense to fail.

when the sample is run in a virtual machine, an attacker sends an attachment that does not appear to be correct. However, after I extracted and decoded this shellcode , I discovered a familiar malware that had been spreading for some time.

at the head of the message, you can see the original The IP address is 212.154.192.150. The answer field is also interesting because it is the address of a long-term 419 scam gang. The email address tells us that the attachment is most likely malware.

However, the test environment system has more than 45G of available hard disk space, and has 2G of memory space, so the lack of space in the error should not be the source of the problem. To test, I expanded the memory space to 8G, but the same problem still exists. So I decided to look at the attachment from a static analysis point of view.

As usual, I used notepad++ Open the file to roughly analyze what this is. When I open it, I see that it is actually an. rtf file disguised as a . doc file , and confusing processing of content in. rtf files is very easy.

in the. rtf file, the large amount of data that represents the hexadecimal code will probably give us clues as to what the file is trying to do. the. RTF file format gives attackers great freedom to hide and encode data in this section,

at the end of this section, however, we see the " FF D9", and the two bytes at the end of the GIF file are"ff D9".

The malicious software was installed to the following path: C:\users\<username>\appdata\roaming\ritese\quapq.exe. From a forensic standpoint, it would be pointless to search for EXE files in that directory or Roaming directory , as generic malware would not be installed in these directories.

for the server side of the malware, the malware initiated many requests for "file.php" and "gate.php" files. In addition, we can see other ladycoll configurations through Dump memory .

Exposing the "depth camouflage" of the Zeus Network Silver Horse