Following on from the previous post about the ZeuS “ACH transaction canceled” distribution campaign, we now turn to look at the distributed binary.
This is version 2.0 of the Zeus variant known as Murofet. It has come to be named ZeuS P2P, due to some of its characteristics, which make use of this technique.
Of all recent versions, this is most evolved with many modifications from the original version. It is rumoured that this version could come from original author of ZeuS, as the modifications require a deep understanding of the original work.
The relationship to the original Murofet can be clearly seen in the configuration files. They are at the same time different from those of the original ZeuS and yet similar to each other. They have new labels in some sections and an easily detectable feature, the ERCP delimiter, as shown in the following image:
In this variant the trojan uses a P2P structure to obtain the configuration file, which is an interesting modification. To do this, it uses a few incorporated IPs, firstly, and attempts to communicate with them via UDP:
The storage route, both for the binary and the registry paths, are similar to previous versions, but in this version the configuration file is stored with only RC4 encryption without the XOR layer (also known as VisualEncrypt; logically, because it does not provide any security).
Similarly, there is evidence that the trojan deletes the RC4 key from memory after each use, in a clear attempt to prevent it from being detected.
Finally, the C&C server shown in the configuration file appears to be false, in a clear attempt to mislead and delay any analysis.
In summary, this is a modified version of ZeuS, with very advanced characteristics and changes aimed at protecting itself from automatic analysis of the binary and self preservation against the destruction of the network infrastructure, but without any notable functional changes.
Jozsef Gegeny & Santiago Vicente