P2P Zeus downloader targeting corporate e-mails

November 13, 2013

The Dell SonicWall Threats Research team received reports of a targeted Corporate E-mail spam campaign that spreads SSL based Zeus Downloader. We have observed similar campaigns in the past as seen here. This downloads a P2P Zeus Trojan variant over SSL after successful infection on the victim machine.

Infection cycle:

The malicious sample spreads through a targeted campaign where it tries to lure employees into downloading a Confidential Document as seen from the e-mail below:

The executable comes with a PDF icon:

The Trojan drops the following files to the file-system:

  • %APPDATA%LocalTempbudha.exe [Detected as GAV: Tepfer.ZC (Trojan)] (id 60505822)
  • %APPDATA%LocalTempkilf.exe [Detected as GAV: Zbot.ES_5 (Trojan)] (id 60505862)
  • %APPDATA%RoamingWucuronoe.exe [Detected as GAV: Zbot.ES_5 (Trojan)] (id 60505854)
  • %APPDATA%LocalTempRRO1145.bat - deletes kilf.exe and itself

The Trojan adds the following key to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "%APPDATA%RoamingWucuronoe.exe"

The Trojan adds the following additional key to the Windows registry :

  • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofilegloballyopenportslist [4064:tcp]
  • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofilegloballyopenportslist [5275:udp]
  • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofile disablenotifications

It downloads a malicious executable named heap.exe from ao[removed]/[removed]/heap.exe [Detected as GAV: Zbot.ES_5 (Trojan)]. This site appears to be a legitimate Marketing Company which is being used as a conduit to spread malicious content.

We observed the Trojan accessing .WAB (Windows Address Book) files on the infected system. These are files used by Outlook and Outlook Express that store contact information such as names, mailing addresses and phone numbers.

Dell SonicWALL Gateway AntiVirus has blocked more than 200,000 Zeus attachments from this targeted campaign in the past 12 hours. It has also blocked more than 34,000 downloads of Zeus Trojan from this infection in the wild during the same time-frame. Below is the geographic distribution of this spam campaign:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Tepfer.ZC (Trojan)
  • GAV: Zbot.ES_5 (Trojan)