Neutrino Exploit Kit delivers zero-detection Zeus Variant

05 June 2015

0 comments

 View Stephen Ramage's profile on LinkedIn

We recently spotted Neutrino being used to deliver a zero-detection Zeus variant and are sharing some brief indicators here.

The Neutrino Exploit Kit check-in response contains base64 encoded data within HTML comment tags:

<!--.DEBUGMTQwMTA3NjM4NjcxNTc2NiNyYXRlIDUjMTQzMzM4NDE4MzIxNjMwNSNsb2FkZXIgaHR0cDovL3NlbGxzLXN0b3JlLmNvbS9mb3J1bS9hY2V6LmV4ZSM=DEBUG.-->

Decoded, this translates to:

1401076386715766#rate 5#1433384183216305#loader http[:]//sells-store[.]com/forum/acez.exe#

Retrieving that executable, which has an MD5 hash of 2fc852f50667a09609d2a66770df180d, and analysing it in on Malwr.com, we can see that it creates mutexes that match the Zeus banking trojan:

Image 1
                       

https://malwr.com/analysis/NjIzY2EyZjMzMzM2NGQzMjhhODk3MjY3NmFkMDgyYTc/

At the time of writing this was not detected by any anti-virus software on VirusTotal:

Image 2
 

The domain sells-store[.]com is registered by a registrant called Wuxi Yilian LLC which is associated to many other spam/scam domains. The creation date of this domain is 1 June 2015 which suggests this is a recent wave.

Image 3
 

The exe makes a DNS request to domain stat777-toolbarueries-google[.]com which is also registered by Wuxi Yilian LLC

As seen in previous variants of Zeus, this matches the common format:

https://zeustracker.abuse.ch/monitor.php?host=stat2070-toolbarueries-google.com

  Image 6

 

Information regarding the Zeus Trojan can be found on the following Symantec post:

http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99&tabid=2

Information regarding the Neutrino Exploit Kit can be found here:

http://blog.trendmicro.com/trendlabs-security-intelligence/a-new-exploit-kit-in-neutrino/

http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html

The Emerging Threats Pro signature that captures the Neutrino check-in response is 2810822.

We are sharing some simple IDS signatures to detect the second stage infection .exe download:

Suricata

alert http any any <> any any (msg:"[PwC] eCrime Neutrino DDoS tool 2nd Stage implant download (acez.exe)"; flow:established,from_client; content:"/forum/acez.exe"; http_uri; isdataat:!1,relative; sid:30000001; rev:2015060401;)

Snort

alert tcp any any <> any any (msg:"[PwC] eCrime Neutrino DDoS tool 2nd Stage implant download (acez.exe)"; flow:established,from_client; content:"/forum/acez.exe"; http_uri; isdataat:!1,relative; sid:30000001; rev:2015060401;)

 

We also have simple IDS signatures for the Zeus C&C domain that is contacted:

Suricata

alert http any any <> any any (msg:"[PwC] Zeus C&C domain (stat777)"; flow:established,from_client; content:"stat777-toolbarueries-google.com"; http_host; isdataat:!1,relative; classtype:trojan-activity; sid:30000002; rev:2015060501;)

alert dns any any <> any any (msg:"[PwC] Zeus C&C domain (stat777)"; flow:established,from_client; dns_query; content:"stat777-toolbarueries-google.com"; isdataat:!1,relative; classtype:trojan-activity; sid:30000003; rev:2015060501;)

Snort

alert tcp any any <> any any (msg:"[PwC] Zeus C&C domain (stat777)"; flow:established,from_client; content:"stat777-toolbarueries-google.com"; http_header; isdataat:!1,relative; classtype:trojan-activity; sid:30000002; rev:2015060501;)

alert udp any any <> any 53 (msg:"[PwC] Zeus C&C domain (stat777)"; flow:established,from_client;  content:"|1C|stat777-toolbarueries-google|03|com"; nocase; classtype:trojan-activity; sid:30000003; rev:2015060501;)

alert tcp any any <> any 53 (msg:"[PwC] Zeus C&C domain (stat777)"; flow:established,from_client; content:"|1C|stat777-toolbarueries-google|03|com"; nocase; classtype:trojan-activity; sid:30000003; rev:2015060501;)

 

If you have any queries about this, please contact us at [email protected]