By targeting primarily financial-related keyword searches and ensuring that their malicious results are displayed, the attacker can attempt to maximize the conversion rate of their infections as they can be confident that infected users will be regularly using various financial platforms and thus will enable the attacker to quickly obtain credentials, banking and credit card information, etc. The overall configuration and operation of the infrastructure used to distribute this malware was interesting as it did not rely on distribution methods that Talos regularly sees being used for the distribution of malware. This is another example of how attackers regularly refine and change their techniques and illustrates why ongoing consumption of threat intelligence is essential for ensuring that organizations remain protected against new threats over time.
Initial Attack Vector
In one example, the attacker appeared to target the keyword search containing the following search query:
The attacker targeted numerous keyword groups, with most being tailored towards banking or financial-related information that potential victims might search for. Additionally, certain geographic regions appear to be directly targetedy, with many of the keyword groups being specific to financial institutions in India as well as the Middle East. Some examples of keyword searches being targeted by this campaign were:
"nordea sweden bank account number"
"al rajhi bank working hours during ramadan"
"how many digits in karur vysya bank account number"
"free online books for bank clerk exam"
"how to cancel a cheque commonwealth bank"
"salary slip format in excel with formula free download"
"bank of baroda account balance check"
"bank guarantee format mt760"
"free online books for bank clerk exam"
"sbi bank recurring deposit form"
"axis bank mobile banking download link"
Additionally, in all of the cases Talos analyzed, the titles of the pages that functioned as the entry point into this malware distribution system had various phrases appended to them. Using the "intitle:" search parameter, we were able to positively identify hundreds of malicious pages being used to perform the initial redirection that led victims to the malicious payload. Some examples of these phrases are included below:
"found download to on a forum"
"found global warez on a forum"
"can you download free on the site"
"found download on on site"
"can download on a forum"
"found global downloads on forum"
"info site download to on forum"
"your query download on site"
"found download free on a forum"
"can all downloads on site"
"you can open downloads on"
In cases where victims attempt to browse to the pages hosted on these compromised servers, they would initiate a multi-stage malware infection process, as detailed in the following section.
Ironically we have observed the same redirection system and associated infrastructure used to direct victims to tech support and fake AV scams that display images informing victims that their systems are infected with Zeus and instructing them to contact the listed telephone number.
The macros use the following Powershell command to initiate this process:
The malicious payload associated with the campaign appears to be a new version of Zeus Panda, a banking trojan designed to stealing banking and other sensitive credentials for exfiltration by attackers. The payload that Talos analyzed was a multi-stage payload, with the initial stage featuring several anti-analysis techniques designed to make analysis more difficult and prolonged execution to avoid detection. It also featured several evasion techniques designed to ensure that the malware would not execute properly in automated analysis environments, or sandboxes. The overall operation of the Zeus Panda banking trojan has been well documented, however Talos wanted to provide additional information about the first stage packer used by the malware.
The malware will first query the system's keyboard mapping to determine the language used on the system. It will terminate execution if it detects the any of the following keyboard mappings:
Below an example of several if conditional statements in pseudo code demonstrating this process and how it can result in impeding the ability to efficiently trace the code.
Below you can see the SEH has just been initialized:
During this execution, the malware will then continue to patch itself and continue execution.
The strings are encrypted using an XOR value, however each string uses a separate XOR value preventing an easy detection mechanism. Below is some IDA Python code which can be used to decrypt strings.
def decrypt(data, length, key): c = 0 o = '' while c < length: o += chr((c ^ ord(data[c]) ^ ~key) & 0xff) c +=1 return o def get_data(index): base_encrypt = 0x1251A560 key = Word(base_encrypt+8*index) length=Word(base_encrypt+2+8*index) data=GetManyBytes(Dword(base_encrypt+4+8*index), length) return key, length, data def find_entry_index(addr): addr = idc.PrevHead(addr) if GetMnem(addr) == "mov" and "ecx" in GetOpnd(addr, 0): return GetOperandValue(addr, 1) return None for addr in XrefsTo(0x1250EBD2, flags=0): entry = find_entry_index(addr.frm) try: key, length, data = get_data(entry) dec = decrypt(data, length, key) print "Ref Addr: 0x%x | Decrypted: %s" % (addr.frm, dec) MakeComm(addr.frm, ' decrypt_string return :'+dec) MakeComm(ref, dec) except: pass
This code should comment IDA strings decrypted and referenced where 0x1250EBD2 corresponds to the decryption routine and 0x1251A560 corresponds to the table of strings encrypted
Comments are inserted into the disassembly making it much easier to understand the different features within the malware.
For API calls, there are also well known hash API calls which use the following algorithm. Again this is code which can be used within IDA in order to comment API calls.
def build_xor_api_name_table(): global table_xor_api if not table_xor_api: table_xor_api =  entries = 0 while entries < 256: copy_index = entries bits = 8 while bits: if copy_index & 1: copy_index = (copy_index >> 1) ^ 0xEDB88320 else: copy_index >>= 1 bits -= 1 table_xor_api.append(copy_index) entries += 1 return table_xor_api def compute_hash(inString): global table_xor_api if not table_xor_api: build_xor_api_name_table() if inString is None: return 0 ecx = 0xFFFFFFFF for i in inString: eax = ord(i) eax = eax ^ ecx ecx = ecx >> 8 eax = eax & 0xff ecx = ecx ^ table_xor_api[eax] ecx = ~ecx & 0xFFFFFFFF return ecxThe malware uses a generic function which takes the following arguments:
- the DWORD which corresponds to the module.
- An index entry corresponding to the table of encrypted string for modules (if not loaded).
- The hash of the API itself.
- The index where to store the api call address.
Below is example pseudo code showing how the API call is performed just to perform a process lookup into memory using the snapshot list.
Once the malware begins its full execution, it copies an executable to the following folder location:
It maintains persistence by creating the following registry entry:
It sets the data value for this registry entry to the path/filename that was created by the malware. An example of the data value is below:
In this particular case, the file that was dropped into the infected user's profile was named "extensions.exe" however Talos has observed several different file names being used when the executable is created.
Additional information about the operation of the Zeus Panda banking trojan once it has been unpacked has been published here.
The threat landscape is constantly evolving and threat actors are continually looking for new attack vectors to target their victims. Having a sound, layered, defense-in-depth strategy in place will help ensure that organizations can respond to the constantly changing threat landscape. Users, however, must also remain vigilant and think twice before clicking a link, opening an attachment or even blinding trusting the results of a Google search.
Additional ways our customers can detect and block this threat are listed below.
AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.
Network Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated with this threat.
AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.
Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.
Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Domains Distributing Maldocs:mikemuder[.]com
IPs Distributing Maldocs:67.195.61[.]46
Intermediary Redirect Domainsdverioptomtut[.]ru
Word Doc Filenames:nordea-sweden-bank-account-number.doc
Word Doc Hashes:713190f0433ae9180aea272957d80b2b408ef479d2d022f0c561297dafcfaec2 (SHA256)
PE32 Distribution URLs:settleware[.]com/blog/wp-content/themes/inove/templates/html/krang.wwt
PE32 Hashes:59b11483cb6ac4ea298d9caecf54c4168ef637f2f3d8c893941c8bea77c67868 (SHA256)