New Zeus dropper being spammed actively (September 6, 2013)

The Dell SonicWall Threats Research team has observed incidents of a new Dropper Trojan being delivered via an e-mail spam campaign in the wild. The e-mail attachment is a password protected zip file and contains the malicious executable. The zip attachment is named using one of the recipient’s first initial and last name as suffix which makes it more convincing for the intended recipient to open it. The malware executable has zero AV detection at the time of this writeup and it connects to a remote server to download and install a new variant of Banking Trojan Zeus on the target machine.

Sample e-mail from this campaign that was captured today can be seen below:

The zip attachment name is of the format – FSEMC.(First Initial + Last Name of recipient).zip. The enclosed malicious executable file masquerades itself as a PDF file as seen below:

Infection Cycle:

Upon execution, the Dropper Trojan creates a copy of itself as %TEMP%hfdfjdk.exe and runs it in the background:

It deletes the original File that was opened by the user.

The Dropper then attempts to connect to a predetermined remote server ce-cloud.com and downloads the latest variant of Zeus over HTTPS. We were able to capture the downloader command during our analysis which can be seen below:

The latest zeus variant can be seen downloaded from the encoded URI /images/note.exe onto the system as %TEMP%ckjienn.exe [Detected as GAV: Zbot.AAU_67 (Trojan)]. It then executes the downloaded executable and kickstarts the Zeus infection cycle that makes the following filesystem changes:

• Creates a copy of itself as %APPDATA%Teugw.exe
• Creates a registry entry to ensure infection persists on system reboot:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun Teugw “%APPDATA%Okzocuteugw.exe”
• Injects malicious code into multiple system and user processes:
• %WINDOWS%system32Dwm.exe
• %WINDOWS%Explorer.EXE
• %WINDOWS%system32taskhost.exe
• %PROGRAMFILES%AdobeReader 9.0Readerreader_sl.exe
• %WINDOWS%system32SearchProtocolHost.exe

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: Tepfer.gen_4 (Trojan)
• GAV: Zbot.AAU_67 (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.