Ranbyus Banking Trojan, Cousin of Zbot

June 25, 2014

The Dell SonicWALL Threats Research Team has recently encountered an example of the Ranbyus banking trojan family. This family, a descendant of the Zbot family, has previously been reported by others to primarily target Ukranian and Eastern European users. One of the notable features of this strain is that it was one of the first to target Java remote banking apps for information stealing.

Ranbyus Java injection strings

Infection Cycle

This sample of Ranbyus appears to be single-staged, as it only drops a copy of itself onto disk and otherwise decodes and executes its malicious payload entirely in memory. The payload is stored as Base64 encoded data within the .rsrc section of the binary, and is launched after being decoded in memory with the CryptStringToBinary API call.

The malware is seen using CryptStringToBinary to decode the Base64 encoded payload

After the initial execution, the original file is deleted with a typical use of cmd.exe: "C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\admin\APPLIC~1\file.exe >> NUL"

After self-destructing the original sample, svchost.exe is injected. The injected svchost process then proceeds to drop the malware into the Windows system directory to achieve persistence on the machine. In our analysis, it used a hard-coded name for the dropped copy, located in C:Windowssystem32MifofomlJLohdj.exe [Detected as GAV: Zbot.SBEP].

Shortcut created in Start Up directory for persistence

In order to persist upon reboot, the malware creates a run key as well as a shortcut in the Start Up directory under the Start Menu.

  • HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRundpkS_uppkrBUa_JGnwzvayGcjU

The following mutexes were seen during analysis and are used to prevent unnecessary reinfection and to manage the different infection threads.

  • BaseNamedObjectsD83A47EC0000037001CEEA35cF_hVxJBmrxrZ
  • BaseNamedObjectsv&xEiR43#$

In addition to performing the persistence routines, the injected svchost process is also seen performing the callback communication.

The svchost process can be seen connecting to the C&C server

The usage of Base64 encoding continues in the C&C communication, although a custom alphabet is used to hinder analysis of the traffic.

HTTP post to the C&C server contains Base64 data

Further analysis of the binary in memory was able to lead us to the custom alphabet used for this sample: G4ozATO/sx521knPHdvVKZWXq9yfm6LNUQtcr3ea+MFubgCB8pES7RwlYhjiDIJ0=. We can then use this alphabet and this script to decode the traffic as seen below.

A bit of formatting of the decoded callback communications reveals the content of the traffic.

Summary

Overall, the purpose of this malware is to steal banking information, as well as other personal information and credentials. Dell SonicWall Gateway Anti-Virus provides protection against this threat with the following signature:

  • GAV: Zbot.SBEP