P2P Zeus downloader targeting corporate e-mails (November 13, 2013)


The Dell SonicWall Threats Research team received reports of a targeted Corporate E-mail spam campaign that spreads SSL based Zeus Downloader. We have observed similar campaigns in the past as seen here. This downloads a P2P Zeus Trojan variant over SSL after successful infection on the victim machine.

Infection cycle:

The malicious sample spreads through a targeted campaign where it tries to lure employees into downloading a Confidential Document as seen from the e-mail below:

The executable comes with a PDF icon:

The Trojan drops the following files to the file-system:

  • %APPDATA%LocalTempbudha.exe [Detected as GAV: Tepfer.ZC (Trojan)] (id 60505822)
  • %APPDATA%LocalTempkilf.exe [Detected as GAV: Zbot.ES_5 (Trojan)] (id 60505862)
  • %APPDATA%RoamingWucuronoe.exe [Detected as GAV: Zbot.ES_5 (Trojan)] (id 60505854)
  • %APPDATA%LocalTempRRO1145.bat – deletes kilf.exe and itself

The Trojan adds the following key to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “%APPDATA%RoamingWucuronoe.exe”

The Trojan adds the following additional key to the Windows registry :

  • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofilegloballyopenportslist [4064:tcp]
  • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofilegloballyopenportslist [5275:udp]
  • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofile disablenotifications

It downloads a malicious executable named heap.exe from ao[removed]/[removed]/heap.exe [Detected as GAV: Zbot.ES_5 (Trojan)]. This site appears to be a legitimate Marketing Company which is being used as a conduit to spread malicious content.

We observed the Trojan accessing .WAB (Windows Address Book) files on the infected system. These are files used by Outlook and Outlook Express that store contact information such as names, mailing addresses and phone numbers.

Dell SonicWALL Gateway AntiVirus has blocked more than 200,000 Zeus attachments from this targeted campaign in the past 12 hours. It has also blocked more than 34,000 downloads of Zeus Trojan from this infection in the wild during the same time-frame. Below is the geographic distribution of this spam campaign:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Tepfer.ZC (Trojan)
  • GAV: Zbot.ES_5 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.