Murofet: Changing to zlib
Time passes and in the world of malware new threats continue to emerge, but the established threats still continue to evolve and everything points to this continuing.
In this blog, we will once again talk about Zeus and, in particular, the version known as Murofet.
Around June, we discussed the different branches of Zeus. We have seen how the developers have implemented new functionality such as P2P and domain name generation in what is known as Murofet 2.0.
In one of the latest samples received, we saw how something didn’t quite fit with the usual behaviour. This was investigated in greater depth and we have discovered that certain sections, instead of being compressed with UCL, have changed to being compressed with zlib.
Image 1: Use of zlib v 1.2.5
Zeus has evolved considerably. Gone is the time when each botnet did not have its own key and encryption consisted of only a simple xor and little more. Recent developments show the creators increasing maturity. They have stopped trying to reinvent the wheel and have been incorporating already existing cryptographic algorithms, much more robust than their predecessors, something completely logical.
If we focus on the gang behind Murofet, in particular, we can see an ongoing development, distinguishing itself ever more from the official version. The changes that have been introduced, step by step, both at the internal level (in terms of the modification of characteristics in the configuration file’s encryption) and the added characteristics mentioned previously, indicate an in-depth knowledge of the subject.
In addition, we must not forget the detail that the first variant was seen before the source code leaked, which makes it clear that the group behind it have very clear objectives.
We will keep playing.
Jozsef Gegeny and Mikel Gastesi