During routine ThreatLabZ log analysis, we encountered the following malicious Zbot executable connecting back to it's CnC and exfiltrating data via POST requests.
- MD5: 0b43d6a65f67ef48f4da3a1cc09335a1
- Size: 442368 bytes
- Detected as PWS:Win32/Zbot by Microsoft (VT 43/49)
What separated this discovery from your average CnC server? The attackers were kind enough to leave the CnC server largely exposed (directory browsing enabled, many files not password protected) to provide a rare behind the scenes look at a live botnet operation. Let's walk through what we observed.
The above mentioned Zbot variant was responsible for dropping the following malicious files:
- 6ca1690720b3726bc76ef0e7310c9ee7 - Win32/Stoberox.B (VT 26 / 50)
- d2c6a0e888d66882d7dc29667c4c9ec0 - TrojanDownloader:Win32/Cutwail (VT 38/50)
(see malwr sandbox report).
- shivammehta.com [ IP: 220.127.116.11]
- merdekapalace.com [IP: 18.104.22.168]
- vodrasit.su [IP: 22.214.171.124]
While looking at the POST data submitted to hxxp://vodrasit.su/admin/gate.php, we explored this site and found that it is currently hosting two malicious files and a password protected admin console.
Below are the files which are hosted on hxxp://vodrasit.su/, which can be observed thanks to the fact that the attackers left directory browsing enabled:
[ ] admin.zip 03-Mar-2014 09:49 12M
[DIR] admin/ 21-Aug-2013 23:44
[ ] all.exe 21-Mar-2014 17:36 457K
[ ] rok.exe 21-Mar-2014 06:23 75K
- a68b10d96eb89af7388d4daa64071ad1 | rok.exe | VT: 3/50 | VT_Link | Malwr_Sandbox_Link
- 76fe3432c75ee724a8f20ea97696bd17 2/50 | all.exe | VT: 2/50 | VT_Link | Malwr_Sandbox_Link
Admin ConsoleAlthough we weren't able to access the live admin console as it was password protected, we were able to replicate the setup from the exposed source files (hxxp://vodrasit.su/admin.zip) and it would appear as shown below:
Another directory with browsing enabled exists at hxxp://vodrasit.su/admin/db/. Here the data from infected machines connecting back to the CnC server can be observed:
Before being transmitted from a victim machine, the data is encrypted using RC4 encryption, base64 encoded and then sent via the POST method to the CnC.
Here is the code for first decoding the data using base64 decoding and then RC4 decryption:
After decoding and decrypting, a record is created in the aforementioned directory hxxp://vodrasit.su/admin/db/.
The following a sample of the information stored from an infected victim:
What does this data represent?
This particular record includes the following:
- OS: WINDOWS 7
- Bits: 0 means OS is 32 BIT
- Country: SOUTH KOREA
We are continuing to track these malicious Domains and IP addresses and advise you to block them too.