Ranbyus Banking Trojan, Cousin of Zbot
The Dell SonicWALL Threats Research Team has recently encountered an example of the Ranbyus banking trojan family. This family, a descendant of the Zbot family, has previously been reported by others to primarily target Ukranian and Eastern European users. One of the notable features of this strain is that it was one of the first to target Java remote banking apps for information stealing.
This sample of Ranbyus appears to be single-staged, as it only drops a copy of itself onto disk and otherwise decodes and executes its malicious payload entirely in memory. The payload is stored as Base64 encoded data within the .rsrc section of the binary, and is launched after being decoded in memory with the CryptStringToBinary API call.
After the initial execution, the original file is deleted with a typical use of cmd.exe: "C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\admin\APPLIC~1\file.exe >> NUL"
After self-destructing the original sample, svchost.exe is injected. The injected svchost process then proceeds to drop the malware into the Windows system directory to achieve persistence on the machine. In our analysis, it used a hard-coded name for the dropped copy, located in C:Windowssystem32MifofomlJLohdj.exe [Detected as GAV: Zbot.SBEP].
In order to persist upon reboot, the malware creates a run key as well as a shortcut in the Start Up directory under the Start Menu.
The following mutexes were seen during analysis and are used to prevent unnecessary reinfection and to manage the different infection threads.
In addition to performing the persistence routines, the injected svchost process is also seen performing the callback communication.
The usage of Base64 encoding continues in the C&C communication, although a custom alphabet is used to hinder analysis of the traffic.
Further analysis of the binary in memory was able to lead us to the custom alphabet used for this sample:
G4ozATO/sx521knPHdvVKZWXq9yfm6LNUQtcr3ea+MFubgCB8pES7RwlYhjiDIJ0=. We can then use this alphabet and this script to decode the traffic as seen below.
Overall, the purpose of this malware is to steal banking information, as well as other personal information and credentials. Dell SonicWall Gateway Anti-Virus provides protection against this threat with the following signature:
- GAV: Zbot.SBEP