Chinese new year wishes leads to Zbot Trojan

May 11, 2012

SonicWALL UTM Research team discovered a new variant of Zbot Trojan being spammed in the wild. The spam campaign in this email exploits the timing of the Chinese new year. The spammed email contains an attached PDF with wishes for the Chinese new year along with a link. The link appears to point to the website of the Ministry of Foreign Affairs of the People's Republic of China but it in fact leads to a malicious domain hosting a newer variant of the Zbot Trojan.

The contents of the attached PDF file is shown below:


The contents of the PDF file translates to:

Brother, Happy Dragon year, and I give you my best wishes!
Thank you for sending me your greetings. I feel the warmth inside.
Long time no contact, I'm not sure if you are still working in China?

It performs the following activities when executed:

  • It injects code in to winlogon.exe and svchost.exe
  • It creates the following files:
    • %windir%system32sdra64.exe (Copy of itself) [Detected as GAV: "Zbot.DRGN (Trojan)]
    • %windir%system32lowseclocal.ds (Encrypted config file)
    • %windir%system32lowsecuser.ds (Collected user information)
  • It modifies the created and accessed timestamp of %windir%system32sdra64.exe to an older date in 2002 in order to avoid suspicion. It also modifies the files attributes to be read only and hidden.
  • It download an encrypted configuration file from a remote domain:
    • GET /libraries/joomla/spm.bin HTTP/1.1
      The configuration file when decrypted was found to contain the remote C&C sever, custom hosts file and a list of banking and e-commerce sites to monitor and intercept credentials from along with the HTML pages to be injected
  • It contacts a remote C&C server and uploads scrounged cookies and stolen credentials:
    • POST /tmp_m/hwnehj/gate.php HTTP/1.1
  • It replaces the hosts file in order to be prevent AntiVirus updates:
    • screenshot
  • It modifies the following registry key to ensure infection on reboot:
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon:Userinit "%windir%system32userinit.exe,%windir%system32sdra64.exe,"

This newer Zbot variant has very low AV detection at the time of writing this alert.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Zbot.DRGN (Trojan)