One layer stripped your mind: Decoding the ZeuS online banking trojan in "Deep disguise"
At the very beginning, I receive a block of diaoyumail with A. Doc attachment. We took off the camouflage coat of the ZeuS Trojan step by step using the usual tool Notepad ++, and conducted a very in-depth static analysis. The disguise of this trojan uses a number of key technologies, such as information hiding and encryption and decryption.
0 × 01 found tricky
At the very beginning, I encountered a very special malicious phishing mail, which contains a. Doc attachment.
At first, when I run the sample in a virtual machine, the attachment sent by the attacker does not seem correct. However, after I extract and decode this shellcode, I found a familiar malware that has been spreading for a while.
Figure 1 phishing
In Figure 2, we can see that the original IP address is 212.154.192.150. The response field is also interesting, because it is the address of a long 419 fraud gang. In Figure 3, the email address in the red circle tells us that the attachment is very likely to be malware.
Figure 2 mail header
Figure 3 419 email addresses of fraud gangs
0 × 02 preliminary test
At first, I tried to run the attachment in the virtual machine, but the error message appeared:
Figure 4 Office error message
However, in the test environment, the system has more than 45 GB of available hard disk space and 2 GB of memory space. Therefore, insufficient space prompted in the error should not be the root cause of the problem. For testing, I expanded the memory to 8 GB, but the same problem still exists. So I decided to look at the attachment from the perspective of static analysis.
As usual, I used Notepad ++ to open the file and roughly analyze what it was. After opening the file, we can see that the. rtf file is a pseudo. DOC file on zookeeper, and it is very easy to confuse the content in. rtf files.
Figure 5 RTF file opened by Notepad ++
In the. rtf file, it indicates that a large amount of data in the hexadecimal code may provide clues for us to understand what the file is trying to do .. The rtf file format gives attackers great freedom to hide and encode data in this part, as shown in figure 6.
Figure 6 suspicious data
However, at the end of this section, we see "FF D9", and the last two bytes of the gif file are "FF D9 ".
Figure 7 ending byte of a gif File
0 × 03 Stripping
I prefer to use Notepad ++ to decode such data. First, copy and paste the content of the region to a new txt file, then press CTRL + F to open the search window, select the "replace" tab, and then select the "extension" button, 8.
Figure 8 Notepad ++ search/replace
In this way, you will get a hexadecimal number in the ASCII format of a line. Then, select all the content and perform the following operations in sequence: "ins"-> "Converter"-> "Hex-> Ascii", as shown in 9.
Figure 9 decode data
After the conversion, you will see some strings (JFIF and Photoshop strings, 10) that seem to be image data ). You can open this image in the Paint software or other similar software, as shown in result 11.
Figure 10 decoded image data
Figure 11. Images in the rtf File
Then, along this clue, we continue to manually decode each part, and we will get a bigger new image than the previous one, and the two pictures show the same content, both of which are the same house. However, this time the file size is 3 MB (Figure 12), and the size of the previous image is only 79KB (figure 11 ).
Figure 12 large images
Search for this image through Google Images and we found that this is actually the appearance of a designed 3D house, which is irrelevant to the content in the original email above.
Even more suspicious is that a .docx file (Figure 13) is embedded ). When I tried to open the file, an error was prompted, and there was no interesting content in the XML file.
Figure 13. docx File
The magic byte of the 97-2004office document (Figure 14) is displayed at around 50,000th rows in the file ). This once again leads us to think about why the. rtf file contains the Word in both the new and old versions?
Figure 14. ASCII representation of doc magic byte
After thousands of rows, we saw something more interesting. The case sensitivity method is generally used to bypass anti-virus software or other signature detection mechanisms.
Figure 15 case-insensitive replacement
After about 2000 rows, we found another function (figure 16 ).
Figure 16 another function
By removing the double line breaks (\ r and \ n), we can compress the code to understand what happened and use this method to view the common conditions in. codes that are not found in the rtf file.
Figure 17. The code that shouldn't exist in the rtf File
In the Red Circle in Figure 18, there are some hexadecimal code that should not exist in the. rtf file. Below is a bit (in the Blue Line circle), we can also see "AAAA", which generally represents the command "inc ecx" in assembly languages ".
Figure 18. Suspicious part in the rtf File
However, in Figure 19, we find a small segment that indicates the shellcode size. By decoding this clip, we can find a reference to the executable file at the end, which is what we are always looking for (Figure 20 ).
Figure 19 contents of seemingly shellcode
Figure 20 shellcode, malicious URL: http://aspks.nl/components/kom/ks.exe
0 × 04 IDA analysis
After opening the binary file with IDA, we can see that this is actually a piece of code. The Assembly commands in are very consistent with our conjecture that the shellcode and other code are closely related to a relatively old but very stable vulnerability CVE-2012-0158.
Figure 21 near shellcode entry point
Now that we have a link address, we can test whether the malicious link is valid and the result shows that the link is still valid (Figure 22 ).
Figure 22 malicious file download
Once this file is executed, a storage file used as the running key will be created in the registry.
Figure 23 malware storage and Installation
The malware is installed in the following path: C: \ Users \ <username> \ AppData \ Roaming \ Ritese \ quapq.exe. From the forensic perspective, searching for exe files in this directory or the Roaming directory is meaningless, because generally malware is not installed in these directories.
0 × 05 communication analysis
For the malware server, the malware initiates many requests to the file. php and gate. php files (figure 24 ). We can see that the IP address 116.193.77.118 is also listed in the tracing form of the ZeuS Trojan (figure 25 ).
Figure 24 HTTP requests
Figure 25 ZeuS Tracking IP Address
In addition, we can see other Ladycoll configurations through Dump memory.
Figure 26 memory dump of malware
0 × 06 Summary
Finally, although CVE-2012-0158 has been around for three years, attackers are still using this vulnerability. Even if they confuse these documents, it is still possible to find their true intentions through analysis.