New Zeus dropper being spammed actively

September 6, 2013

The Dell SonicWall Threats Research team has observed incidents of a new Dropper Trojan being delivered via an e-mail spam campaign in the wild. The e-mail attachment is a password protected zip file and contains the malicious executable. The zip attachment is named using one of the recipient's first initial and last name as suffix which makes it more convincing for the intended recipient to open it. The malware executable has zero AV detection at the time of this writeup and it connects to a remote server to download and install a new variant of Banking Trojan Zeus on the target machine.

Sample e-mail from this campaign that was captured today can be seen below:

The zip attachment name is of the format - FSEMC.(First Initial + Last Name of recipient).zip. The enclosed malicious executable file masquerades itself as a PDF file as seen below:

Infection Cycle:

Upon execution, the Dropper Trojan creates a copy of itself as %TEMP%hfdfjdk.exe and runs it in the background:

It deletes the original File that was opened by the user.

The Dropper then attempts to connect to a predetermined remote server and downloads the latest variant of Zeus over HTTPS. We were able to capture the downloader command during our analysis which can be seen below:

The latest zeus variant can be seen downloaded from the encoded URI /images/note.exe onto the system as %TEMP%ckjienn.exe [Detected as GAV: Zbot.AAU_67 (Trojan)]. It then executes the downloaded executable and kickstarts the Zeus infection cycle that makes the following filesystem changes:

  • Creates a copy of itself as %APPDATA%Teugw.exe
  • Creates a registry entry to ensure infection persists on system reboot:
    • HKCUSoftwareMicrosoftWindowsCurrentVersionRun Teugw "%APPDATA%Okzocuteugw.exe"

  • Injects malicious code into multiple system and user processes:
    • %WINDOWS%system32Dwm.exe
    • %WINDOWS%Explorer.EXE
    • %WINDOWS%system32taskhost.exe
    • %PROGRAMFILES%AdobeReader 9.0Readerreader_sl.exe
    • %WINDOWS%system32SearchProtocolHost.exe

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Tepfer.gen_4 (Trojan)
  • GAV: Zbot.AAU_67 (Trojan)