Zeus PIF - The evolving strain looking to defeat your security software

Websense Security Labs™  have identified a Zeus strain that implements information stealing procedures that appear to be an evolution of the 'DNA' of previous emerging Zeus variants. The Zeus variants in the campaign we're about to describe also appear to be using Zeus droppers that employ the hidden Windows 'PIF' file extension - a file extension that used to be popular many years back, that was often associated with viruses then, and that appears to be making a comeback.

Websense® ThreatSeeker® Intelligence Cloud has been tracking a malicious low volume email campaign over the last months that employs exploits and social engineering tricks to spread the evolving breed of the Zeus banking malware. Specifically, the Zeus variants spotted in the campaign have been seen to persistently evolve and adapt their methods to implement information stealing procedures (a.k.a. 'hooking procedures') that are a direct evolution of a previous variant dubbed 'Zberp'. This trend indicates a clear persistent effort to evade detection from client-side security software.

In this blog we're going to take a look at some email examples and prototype the lure emails that are part of this campaign. Furthermore, we're going to take a look at how we believe the actors behind the Zeus strain seen in the campaign modified Zeus' hooking routines persistently, and employed other tactics in order to evade detection by client-side security software and network-based security software.

Co-Writer: Nick Griffin.

The Lure Emails 

The lure emails typically hold subjects that are aimed to entice the target to download and run a file from a URL. For example, messages have been seen to include subjects like: "eFax message from fax #", "Payment confirmation", "Pending consumer complain", "Failed delivery for package", etc. The email messages don't contain file attachments, but rather a URL link to a ZIP file that contains a PIF file that is the Trojan Zeus Dropper. PIF is another executable extension (like .exe, etc.) and it operates like other executable files. One of the direct advantages of the PIF file is that the extension is hidden even if Windows is configured to show file extensions of known file types. The additional direct advantage of using PIF files with this campaign is that the lures are sent as 'PDF' files that are actually PIF files, which is a direct attempt to deceive the user in case they are able to see the extension.

At first we were surprised to see PIF files used with this campaign because PIF files are most often associated with old virus threats that existed many years ago, and the file extension is not often seen to be used by modern malware. PIF files (Program Information Files) were created to serve specific functionality that defines how a given DOS program should be run. PIFs are analyzed by Windows' ShellExecute function and are run as specified by their content, not extension, which makes them convenient to use in social engineering tricks because their file extension does not appear to the target, which improves the chances that the target will double-click on the file attempting to run it, thereby getting infected.

Zeus dropper Inside the ZIP file example:

The lure emails' content seems to be of good quality. The messages do not contain spelling mistakes and include, at times, pictures in order to appear more convincing (some example screenshots are included below). The URLs used in the messages that lead to Zeus Droppers appear to be of two kinds; some are URLs that were registered only for a few days, and some utilize compromised websites. The Zeus PIF dropper files, as often seen with modern malware, appear to be 'crypted', which is a term used to describe that the file was 'repackaged' for the purpose of evading antivirus detection and other file scanning solutions.

Last week we observed this campaign using email themes that appeal to Canadian targets, and we noticed that the dropped Zeus variants specifically targeted Canadian banks (more on that in the next section).

Here are a few VirusTotal references to the Zeus PIF Dropper included in this campaign and screenshots of the lure emails they were a part of:

Email subject: Failed delivery for package #1398402

File name: pdf_canpost_RT000961269SG.zip

VirusTotal detection rate: 2%.

ThreatScope analysis: link

Email subject: Pending consumer complaint

File name: ftc_pdf_complaint.zip

VirusTotal detection rate: 11% 

ThreatScope analysis: link

Email subject: Your Order #742830017 - PROCESSED

File name: pdf_eticket_QB742830017CA.zip

VirusTotal detection rate: 9% 

ThreatScope analysis: link

Lure email examples:

Hooking Detection Evasion Evolution

Looking under the hood and digging into the Zeus binaries spreading throughout this campaign shows the efforts made to evade client-side security software, especially the security software that aims to alert on 'malicious hooks' - the places on the computer where the malware inserts procedures aimed to eavesdrop on legitimate processes like browsers. One interesting observation is that the code seems to be an evolution of the 'hooking' procedures used by the Zeus variant known as 'Zberp'. On top of the 'hooking' changes, it is interesting to see that the format of the configuration file is a modification of the one used by frequently seen Zeus variants. In the following screenshots you can see a snapshot series representing the evolution of the changing patterns aimed to evade detection as spotted with the Zeus PIF variants in this campaign in comparison to 'Zberp':

Hooking evolution:

The Growing Importance Of SSL Content Inspection

Upon decryption of the Zeus configuration files used in this campaign, it's evident that the bot communicates and 'calls home' to its command and control servers using HTTPS. The Zeus configuration file contains a number of entries that indicate that HTTPS is utilized (HTTP + SSL encryption). Screenshots below show the URL the bot calls to download an update, and the URL the bot calls to drop stolen information.

After looking into the command and control domains, it was found that they all had valid and signed certificates, for a short period of 3 months, from a certification authority known as 'Comodo Essential SSL' (see screenshots of certificates below). Modern browsers normally give a layer of defense to browsing users against untrusted certificates by alerting and blocking access to the website, which unfortunately in this instance is not the case. This gives the actors behind this campaign another layer of resilience and anonymity because their malicious domains appear to be more trusted and at the same time pose a much bigger challenge to inspect because network communication is encrypted by SSL. This could explain why the domains involved with the variants we've looked into for this blog have low detection rates: 

hxxps://billing-service.ru/skinny/phpinfo.php - VirusTotal detection rate: 4%.

hxxps://invoice-maker.ru/flash/flashplayer.exe - VirusTotal deection rate: 2%

hxxp://crypto-coinz.ru/pizza.jpg - VirusTotal detection rate: 2%

hxxps://secure-checker.com - VirusTotal detection rate: 2%

You may ask yourself, Why is SSL inspection important? Imagine that you have a sandbox on your network that inspects executables that go through your network. If your sandbox solution does not use SSL inspection it will not see a file that has gone through the network encrypted with SSL. In this case, the bot can update itself by downloading an executable file using SSL, which will defeat any sandbox that doesn't employ SSL inspection. For example: hxxps://invoice-maker.ru/flash/flashplayer.exe .

Zeus PIF variant configuration file:

Valid certificates employed by the command and control servers:

Zeus configuration file and the list of web injects targeting various banks in Canada:

Websense customers are protected against this threat with ACE, our Advanced Classification Engine, at the stages detailed below:

• Stage 2 (Lure) – ACE protects against lure email messages containing the threat.
• Stage 4 (Exploit Kit) – ACE has real-time detection for exploit code that attempts to deliver the threat.
• Stage 5 (Payload) – ACE has detection for the malicious payloads delivered by this threat; SSL inspection is supported with Websense® TRITON® ThreatScope™
• Stage 6 (Call Home) – ACE detects the communication to the associated C&C in real-time, supported by SSL inspection.

Conclusion

In this blog we covered a malicious email campaign that employs an evolving strain of the infamous Zeus malware. The campaign has been ongoing for months in bursts of low volume attacks that have been evolving to evade detection employed by client-side security software. The actors behind this campaign seem to be savvy and in-the-know regarding what is needed to accommodate durability and to sustain 'longer periods' of undetected covert activity from their main criminal tool, the Zeus bot. The persistence of the actors behind this campaign is represented in their continual effort to change and modify the 'DNA' of the Zeus bot in order to avoid detection and by utilizing other techniques, like command and control servers that utilize SSL to sustain the duration and success of their campaign, which has the ultimate purpose of data theft.

We also managed to connect the previously observed 'Zberp' Zeus strain to this campaign in terms of evolution. This shows that the 'cat and mouse' game is ever continuing. Because the Zeus source code was leaked back in 2011, many evolving variants of the bot started to spawn by different cyber-criminal groups. New variants have been given different names, and we believe the list of variants is going to grow. Strains that may at first look quite different, often have the familiar Zeus at their core. Tracking and dissecting the evolution of a malware strain allows us to know exactly the technological challenges that come with it and what is required to stop it.