Ranbyus Banking Trojan, Cousin of Zbot

The Dell SonicWALL Threats Research Team has recently encountered an example of the Ranbyus banking trojan family. This family, a descendant of the Zbot family, has previously been reported by others to primarily target Ukranian and Eastern European users. One of the notable features of this strain is that it was one of the first to target Java remote banking apps for information stealing.

Infection Cycle

This sample of Ranbyus appears to be single-staged, as it only drops a copy of itself onto disk and otherwise decodes and executes its malicious payload entirely in memory. The payload is stored as Base64 encoded data within the .rsrc section of the binary, and is launched after being decoded in memory with the CryptStringToBinary API call.

After the initial execution, the original file is deleted with a typical use of cmd.exe: “C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\admin\APPLIC~1\file.exe >> NUL”

After self-destructing the original sample, svchost.exe is injected. The injected svchost process then proceeds to drop the malware into the Windows system directory to achieve persistence on the machine. In our analysis, it used a hard-coded name for the dropped copy, located in C:Windowssystem32MifofomlJLohdj.exe [Detected as GAV: Zbot.SBEP].

In order to persist upon reboot, the malware creates a run key as well as a shortcut in the Start Up directory under the Start Menu.

• HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRundpkS_uppkrBUa_JGnwzvayGcjU

The following mutexes were seen during analysis and are used to prevent unnecessary reinfection and to manage the different infection threads.

• BaseNamedObjectsD83A47EC0000037001CEEA35cF_hVxJBmrxrZ
• BaseNamedObjectsv&xEiR43#$

In addition to performing the persistence routines, the injected svchost process is also seen performing the callback communication.

The usage of Base64 encoding continues in the C&C communication, although a custom alphabet is used to hinder analysis of the traffic.

Further analysis of the binary in memory was able to lead us to the custom alphabet used for this sample: G4ozATO/sx521knPHdvVKZWXq9yfm6LNUQtcr3ea+MFubgCB8pES7RwlYhjiDIJ0=. We can then use this alphabet and this script to decode the traffic as seen below.

Summary

Overall, the purpose of this malware is to steal banking information, as well as other personal information and credentials. Dell SonicWall Gateway Anti-Virus provides protection against this threat with the following signature:

• GAV: Zbot.SBEP

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.