ZBERPInside a Financial Trojan

Your speakers today

Marion MarschalekSecurity Research Expert

Shelendra SharmaProduct Marketing Director

Agenda

o What is ZBERPo Dissecting the malwareo Wrap-up and Q&A

Cyph

ort L

abs

T-sh

irt

Threat Monitoring & Research team

________

24X7 monitoring for malware events

________

Assist customers with their Forensics and Incident Response

We enhance malware detection accuracy

________

False positives/negatives

________

Deep-dive research

We work with the security ecosystem

________

Contribute to and learn from malware KB

________

Best of 3rd Party threat data

Banking Trojans

How Malware Became Greedy

ZeusCitadelSpyEyeZitMoZeusVM/KINSCarberp... Zberp!

Source: https://www.mobigyaan.com

ZeusCitadelSpyEyeZitMoZeusVM/KINSCarberp... Zberp!

Source: https://www.mobigyaan.com

Source: https://zeustracker.abuse.ch/

ZeusVM / KINS

o Born December 2011o Sold as a kit since 2013o Heavily based on Zeus code

http://blog.fox-it.com/2013/07/25/analysis-of-the-kins-malware/

There Is No Honor Among Thieves

KINS + Carberp = Zberp?

Code injection

Hooking technique

Infection routine

VM code

Steganografic configuration

ZBERP

How Zeus and Kins and Carberp Merged

What Makes ZBERP

o Steganography o Invisible persistenceo SSL CnC Communication o VMProtect Featureo New Hooking implementation

System Infiltration

1. Drop executable in users %APP% folder

2. Create and execute a batch file to delete dropper

3. Maintain registry key for persistence

4. Inject payload to system processes

5. Download customized configuration

System Infiltration

1. Drop executable in users %APP% folder

2. Create and execute a batch file to delete dropper

3. Maintain registry key for persistence

4. Inject payload to system processes

5. Download customized configuration

ZEUS

1. Grab next opcode

2. Call opcode handler

Virtual Machine Code Execution

1. Grab next opcode2. Call opcode handler

Virtual Machine Code Execution

KINS

Steganographic Configuration

Steganographic Configuration

Steganographic Configuration

KINS

Invisible Persistence

Thread for managing autorun key

...

Invisible Persistence

Thread for managing autorun key

...KINS

Code Injection Technique

Suspend – Inject – ResumeExecutable injection

Code Injection Technique

Suspend – Inject – ResumeExecutable injection

CARBERP

„Man-in-the-browser“

ZBERP

„Man-in-the-browser“

Key Take-awaysHow to Stay Safe

Critical Questions

Zeus first appeared in 2007 – why are its derivates still so successful?

What is compromised on an infected machine?

How can mitigation be achieved?

Zeus‘ Success

Modularity.

Flexibility.

Persistence.

Potential Data Loss

Digital Identities

Critical Browser Data

Media

Sensitive Documents

Anything the botnet operator desires!

Conclusions

o Don’t underestimate Zeus and its descendants.

o Check for presence of unfamiliar network callbacks.

o Use a professional grade APT solution to detect these Trojans.

Q and A

o Information sharing and advanced threats resources

o Blogs on latest threats and findings

o Tools for identifying malware

Thank You!