Throughout September 2016 we have observed an actor sending malware to Canadian nationals by e-mail. Upon investigation we have determined the malware payload to be DELoader, which downloads a Zeus variant banking trojan upon execution.

E-mail Lures

The e-mails typically pretend to be from the Canada Revenue Agency (CRA) claiming that the individual has a tax payment outstanding.

The e-mails contain an MSG attachment with an embedded OLE object. This is not a technique we see very often and is challenging for security products to detect due to the complicated MSG format. When the user opens the MSG attachment they are faced with the following content:

The embedded object name "case_243541.doc" here is actually a spoofed object name. Double clicking on this fake document will prompt the user as to whether they wish to run a JScript file. If execution is allowed then the JScript file will begin to download and execute malware from the following URL:

hxxp://tradestlo.top/poll.hls

Malware Payload (DELoader)

The malware downloaded by the malicious JScript files is a trojan downloader known as DELoader (aka Terdot). This malware has previously been used to target German nationals. In the sample we analysed (SHA1 5bfb7cbc0c79e1ce7fd4861193bd38ceeb4c8c2d) DELoader downloaded and executed a Zeus banking trojan variant from one the following URLs:

hxxps://aspecto.top/dpr.bin hxxps://prisectos.top/dpr.bin

Contrary to previous research we do not believe DELoader to be a generic malware downloader. DELoader seems to be solely used to distribute a specific variant of the Zeus banking trojan. We unpacked the embedded DELoader DLL (SHA1 cad1715f0ffd32092001a14c5f8de6990c379867) and compared it with the Zeus variant it downloaded (SHA1 e57362eaa240da948980c4c6133d63c2a4c07b31). As a result we noticed the following connections:

Both use the same domains aspecto[.]top and prisectos[.]top

Both contain the string "shared_%s"

Both were compiled using Microsoft Visual Studio 2012

Both were compiled within 20 seconds of each other according to the PE headers

DELoader is hard-coded with an export to call in the Zeus DLL

DELoader appears to be compiled under the name "loader.dll" and the Zeus variant appears to be compiled under the name "client32.dll".

Malware Payload (Zeus Variant)

Zeus (aka ZBot) is an infamous banking trojan capable of intercepting and modifying online banking traffic in order to perform fraudulent transactions. It does this by injecting itself into web browsers that are running on the machine. It is also capable of stealing other credentials from the machine, enabling remote desktop access, and acting as a proxy server for an attacker.

In the sample we analysed the malware downloaded its main configuration file from one of the following URLs:

hxxps://aspecto.top/dsr.bin hxxps://prisectos.top/dsr.bin

We were able to decrypt the configuration to reveal its version number, command-and-control (C&C) and a list of banking websites to steal and modify traffic from.

VERSION 1.5.5.0 COMMAND AND CONTROL URL hxxps://namoterno.top/promo.php ALTERNATIVE CONFIG URL hxxps://alecofrinse3.com/aqs.bin hxxps://bielakee.xyz/cr2.bin hxxps://lwowenase.top/core.bin ...

The list of banking websites were mainly Canadian banks, with some US and Australian banks also targeted.

Protection Statement

Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

Stage 2 (Lure) - Malicious e-mails associated with this attack are identified and blocked.

Stage 5 (Dropper File) - DELoader is prevented from being downloaded by the malicious JScript file.

Stage 6 (Call Home) - Attempts by the Zeus variant to call home are identified and blocked.

Summary

The actor behind DELoader has started targeting Canadian nationals with a variant of the Zeus banking trojan. The DELoader malware itself appears to have been designed specifically for use with this Zeus variant. The Zeus code base continues to be a popular choice for malware developers looking to create a quick and easy banking trojan. It is important to be careful when opening e-mail attachments and to verify that the sender is who they say they are.

The Canada Revenue Agency website has additional information for recognising and protecting against fraud.

Blog contributors: Nick Griffin, Ran Mosessco

Indicators of Compromise

JScript Downloader (SHA1)

f4a4a2207c8c1135a7bdf819d95e9ee22d34d733

DELoader (SHA1)

5bfb7cbc0c79e1ce7fd4861193bd38ceeb4c8c2d

DELoader Unpacked DLL (SHA1)

cad1715f0ffd32092001a14c5f8de6990c379867

Zeus Variant (SHA1)

e57362eaa240da948980c4c6133d63c2a4c07b31

DELoader Payload URL

hxxp://tradestlo.top/poll.hls

Zeus Variant Payload URL

hxxps://aspecto.top/dpr.bin hxxps://prisectos.top/dpr.bin

Zeus Variant Config URLs

hxxps://aspecto.top/dsr.bin hxxps://prisectos.top/dsr.bin hxxps://alecofrinse3.com/aqs.bin hxxps://bielakee.xyz/cr2.bin hxxps://lwowenase.top/core.bin

Zeus Variant C&C

hxxps://namoterno.top/promo.php