Many game makers allow users to alter a game's appearance or behavior to increase its enjoyment and replay value. Players can often also download packages created by others. However, this is also a chance for attackers to distribute their malware. The below report examines a batch stealer distributed via a crafted Minecraft source pack.
The zEus stealer malware has been added to a source pack shared on YouTube. The name—zEus—is from a previous variant of this malware. The variant (d9d394cc2a743c0147f7c536cbb11d6ea070f2618a12e7cc0b15816307808b8a) is also distributed via a Minecraft source pack, but it’s embedded in a WinRAR self-extract file.
The self-extract file mimics a Windows screensaver file. It runs the stealer and opens the image used as a file icon.
It is an image from the Internet with the string “zEus” added. This name is also found in a profile of the Discord webhook receiving stolen data.[1]
Figure 1: The string on the icon of the inserted file
Figure 2: The author’s name of the webhook is zEus
Infection Vector - When a victim executes the zEus stealer, it checks whether it is being analyzed. If not, it collects sensitive information and drops script files to make the attack more flexible. The zEus stealer creates folders in C:\ProgramData to save stolen data and malicious script files.
Figure 4: Aetherium.bat was added to an existing pack
Anti-analysis - zEus checks whether it is being analyzed by comparing the computer name and currently running processes with blacklists.
Computer name blacklist:
WDAGUtilityAccount, Abby, Peter, Wilson, hmarc, patex, JOHN-PC, RDhJ0CNFevzX, kEecfMwgj, Frank, 8Nl0ColNQ5bq, Lisa, John, george, PxmdUOpVyx, 8VizSM, w0fjuOVmCcP5A, lmVwjj9b, PqONjHVwexsS, 3u2v9m8, Julia, HEUeRzl, BEE7370C-8C0C-4, DESKTOP-NAKFFMT, WIN-5E07COS9ALR, B30F0242-1C6A-4, DESKTOP-VRSQLAG, Q9IATRKPRH, XC64ZB, DESKTOP-D019GDM, DESKTOP-WI8CLET, SERVER1, LISA-PC, JOHN-PC, DESKTOP-B0T93D6, DESKTOP-1PYKP29, DESKTOP-1Y2433R, WILEYPC, WORK, 6C4E733F-C2D9-4, RALPHS-PC, DESKTOP-WG3MYJS, DESKTOP-7XC6GEZ, DESKTOP-5OV9S0O, QarZhrdBpj, ORELEEPC, ARCHIBALDPC, JULIA-PC, d1bnJkfVlH, QDAVNJRH
Program blacklist:
httpdebuggerui, wireshark, fiddler, vboxservice, df5serv, processhacker, vboxtray, vmtoolsd, vmwaretray, ida64, ollydbg, pestudio, vmwareuser, vgauthservice, vmacthlp, x96dbg, vmsrvc, x32dbg, vmusrvc, prl_cc, prl_tools, xenservice, qemu-ga, joeboxcontrol, ks dumper client, ksdumper, joeboxserver
Information Stealing - The zEus stealer grabs a wide range of information. It creates individual text files for each piece of information and saves them to corresponding folders. The folders for stolen information are in C: \ProgramData\STEALER, including the PCINFO, IPINFO, HARDWARE, BROWSERS, STEAL, LDB, and SESSION folders.
PCINFO - This folder contains two folders: IPINFO and HARDWARE. zEus looks up the victim’s IP address and related details using the online tools My External IP, ipapi, and ip-api. The results are saved as text files in the IPINFO folder. Using the IP address, zEus queries for further information from the tools, including the internet service provider, location details such as city, longitude, and latitude, and postal code. In addition, it collects the status of whether the victim is using a proxy server and if a mobile network is being used.
Figure 5: The data from online tools is saved to the IPINFO folder
Next, zEus uses command-line utilities and PowerShell to collect hardware information and saves the results in the HARDWARE folder, including currently running processes, OS version, product key, hardware ID, system configuration, installed programs, and WIFI password.
BROWSERS - zEus copies files for login data and user preferences from the browsers’ profile path and stores them in corresponding folders. Below are the target browsers:
Chrome, Opera, Brave, Vivaldi, Edge, Firefox
From these browsers, it grabs files for login data and an encryption key for a password (if necessary). It then steals cookies, history, shortcuts, and bookmarks.
STEAL - This folder contains login data copied from the following software:
Steam, osu!, Roblox, Growtopia, Discord
The files are mostly copied from the software’s data path. In addition, zEus also searches for discord_backup_codes.txt in the Downloads folder. Discord_backup_codes.txt contains backup code that helps users log in when they lose their devices for multi-factor authentication (MFA). As a result, the zEus stealer tries to get the backup code from a default location for downloaded files.
LDB - The LDB folder only stores .ldb files copied from %appdata%\discord\Local Storage\leveldb. From these .ldb files, the attacker can extract Discord tokens containing account and password information and then log into the victim’s account.
SESSION - zEus also copies various data from the following path to the SESSION folder. Not only do these files contain credentials, but the attacker also collects information about the victim. For example, it copies the Logs folders from the parent folder of EpicGamesLauncher, which contains debug logs about EpicGamesLauncher. Additionally, it copies the parent folders of game companies like Battle.net and Electronic Art. With this knowledge, the attacker can know which games are popular with the victim and how to disguise the malware to achieve the next attack.
Software |
Path |
Battle.net |
%appdata%\Battle.net |
Electronic Arts |
%localappdata%\Electronic Arts |
Epic Games |
%localappdata%\EpicGamesLauncher\Saved\Config |
Telegram |
%appdata%\Telegram Desktop\tdata |
Minecraft |
%userprofile%\.lunarclient\settings\game\*.json |
Proton VPN |
%localappdata%\protonvpn |
Ubisoft |
%localappdata%\Ubisoft Game Launcher |
zEus stealer also drops KEYWORDSEARCHER.bat and Keyword.txt to the STEALER folder. The batch file helps users search for keywords they want in a folder, and the text file is its README. After data collection, the STEALER folder is compressed into a zip file—STEALER.zip—and deleted. KEYWORDSEARCHER.bat and Keyword.txt are not used by the zEus stealer.
Finally, zEus organizes the attack result and sends it with STEALER.zip attached. The result shows whether it has successfully stolen the items that should be in the STEALER folder, along with the following information:
Execution date, user name, computer name, processor, anti-virus software, clipboard content, installed XBOX games, cryptocurrencies, sensitive files
zEus stealer also checks whether the victim uses any of the following cryptocurrencies:
Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, AtomicWallet, Guarda, Coinomi
It also searches the Downloads folder for files whose names contain one of the following keywords:
2fa, mdp, motdepasse, mot_de_passe, login, seed, key, data, db, password, secret, account, acount, paypal, banque, metamask, wallet, code, exodus, memo, compte, token, backup, recovery
These keywords are related to login mechanisms, such as 2FA (two-factor authentication), seed, and key. Some French keywords also mean password, bank, and account.
Figure 6: A part of the attack result
Features in Dropped Files - Apart from information stealing, there are features performed by the script files that are dropped to C:\ProgramData\{ComputerName}:
Feature |
Filename |
Kill Task Manager |
debugerkiller.bat |
Send Screenshot |
Screen.bat |
Screen Lock |
SYSTEMLOCK.bat, configSYSLOCK.vbs, bsod.hta |
Chat Box |
CHATBOX.bat |
C2 Communication |
RAT.bat, COMMANDS.txt, HISTORY.txt |
Among these files, debugerkiller.bat, Screen.bat, and RAT.bat are executed immediately, and their paths are registered under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to achieve persistence. To avoid suspicion, the names of Windows system files and folders are used as the value name.
Figure 7: Key values for auto-run
Kill Task Manager - zEus stealer drops debugerkiller.bat and obscures its execution to keep terminating Task Manager. This is set to auto-run to ensure the screen lock mechanism works.
Figure 8: Code in debugkiller.bat
Send Screenshot—zEus drops Screen.bat to send a screenshot to the webhook every five seconds. This is executed automatically at startup to monitor the victim’s computer.
Screen Lock - SYSTEMLOCK.bat and configSYSLOCK.vbs are dropped to perform this task. configSYSLOCK.vbs is the launcher for SYSTEMLOCK.bat. The attacker can execute configSYSLOCK.vbs via C2 communication. SYSTEMLOCK.bat pops up a message box telling the victim not to restart the computer and closes explorer.exe to stop the victim from interacting with most Windows items. The SYSTEMLOCK.bat then executes bsod.hta, which it dropped to the ProgramData folder. This HTA file just shows a full-screen blank window. However, debugkiller.bat prevents the victim from opening Task Manager, so most well-known methods to stop a program are blocked.
Chat Box—CHATBOX.bat is dropped to allow the victim to send the attacker at most five sentences. This can be executed via C2 communication.
Figure 9: The chat box for the victim
C2 Communication - zEus stealer drops RAT.bat to build C2 communication. RAT.bat downloads command-line instructions from onlinecontroler[.]000webhostapp[.]com to COMMANDS.txt. If the instruction is not duplicated, it will be executed, and the result will be written to HISTORY.txt later. The executed instruction is sent to the attack’s webhook to show the current situation. In addition, special messages for the screen lock and chat box help the attacker with troubleshooting. RAT.bat is set to auto-run to control the computer continuously.
Figure 10: The message for the screen lock
Conclusion - zEus stealer has a relatively simple attack flow, but it collects a wide variety of information that provides data for the next attack and contributes to social engineering. This is a reminder about the dangers of downloading and using files from an unknown source. Even a source pack, usually loaded by the software, can be a carrier for malware. In addition to only downloading files from reputable sources and checking reviews of a file and author, FortiGuard Labs recommends enabling MFA as an additional protection layer. MFA prevents unauthorized account access if a password has been compromised and can also alert users to unusual account activities. We also recommend subscribing to a service like FortiRecon that automatically scans the web for leaked data.
IOCs
C2 Server
- onlinecontroler[.]000webhostapp[.]com/
- panel-controller[.]000webhostapp[.]com/
Discord Webhooks
hxxps[:]//discord[.]com/api/webhooks/1212818346157015070/2v0xe2vrxFGv65
MRE9qvICmsJw-5e_pq_28xscGybiY1ScEyEiSKMC_zFffr3KkuAimX
hxxps[:]//discord[.]com/api/webhooks/1212821302671581224/L30ylYucowXO_
rm7sUpdwA8DLbYet6NyvUsNV60EP1o1HnF-2M-UPsvatVGQY0ctO9Vk
hxxps[:]//discord[.]com/api/webhooks/1212818346157015070/2v0xe2vrxFGv65
MRE9qvICmsJw-5e_pq_28xscGybiY1ScEyEiSKMC_zFffr3KkuAimX
hxxps[:]//discord[.]com/api/webhooks/1212821302671581224/L30ylYucowXO_
rm7sUpdwA8DLbYet6NyvUsNV60EP1o1HnF-2M-UPsvatVGQY0ctO9Vk
hxxps[:]//discord[.]com/api/webhooks/1212818346157015070/2v0xe2vrxFGv65
MRE9qvICmsJw-5e_pq_28xscGybiY1ScEyEiSKMC_zFffr3KkuAimX
hxxps[:]//discord[.]com/api/webhooks/1216834085205311708/2Rx-yUIHeCnuhu
Lskpz25Ghf-YWeP6Si6oiUSN4SMQYNkeJfVJiYNC4Xy_Oj0ZNQ1qTC
hxxps[:]//discord[.]com/api/webhooks/1117543783714787458/U_DdPjJm7rM7Q
2asPiMISLTrbd3oGw3oVQ25_XU37HCmM6QIQ804SJAH4_h0AT2Vr_cv
hxxps[:]//discord[.]com/api/webhooks/1191890861622050848/iJVVE3x3xilf4Te
ZNiERydXZPF5TRE1UhM4Ew06uHn95b0k0KDViw3YnhdynrXn17OKa
hxxps[:]//discord[.]com/api/webhooks/1215746939635892344/CmKTGdIvizEpR
4FgvvLJm3Bcbjg3AKlNGlwd2S-yIO-GRBXZZbn0OwG39kKnx7mDur4T
hxxps[:]//discord[.]com/api/webhooks/1223978005127364659/3E0hHtDqDOHQ
JBaG8ifspilk2mY8E1s4KeQY36inBq-tq5q6aZex8U0YJVxVlloFJj5X
hxxps[:]//discord[.]com/api/webhooks/1224075124005929020/kA4IFZrIXBl_d1Y
4I0sMHhF1cZzXvC-yEo5HzSk6Jzq_I0k1PCc1idn4FmqSC2UMljdD
Files
aabfbef31ab073d99c01ecae697f66bbf6f14aa5d9c295c7a6a548879381fb24
c9687714cf799e5ce9083c9afa3e622c978136d339fc9c15e272b0df9cd7e21c
d9d394cc2a743c0147f7c536cbb11d6ea070f2618a12e7cc0b15816307808b8a
c2c8a7050b28d86143f4d606a6d245b53c588bc547a639094fce857962246da4
be9ea302bcfb52fbfdf006b2df8357388cd4c078059aabc5b5928676c3361e50
9d3409852348caa65d28e674008dd6bb986eed4fb507957c7a8b73a41e00be70
b6e8b612e99c54dd98af1756f7c9b8a8c19e31ed9b2836878c2a5144563ff1b2
8a2f6d5f6cf7d1a7534454e3c3007337b71d7da470e86f7636eb02d68b2db8cc
df6156fdbbcc7b6f8c9cb4c5c1b0018fc3f1e1ca7d949b5538ec27dc86d026a4
5840f3e43a0c635be94b5fbf2e300d727545371b582361a52682b4a9e08bcebd
51ede75315d858209f9aa60d791c097c18d38f44b9d050b555ff1f4de0ae672d
d1865d2aaf11e3f8bccefe9c4847510234f14aaa5378ce9e8e97553537cf2ca1
9ba19d614af029c3c198b576ccdf1de87d80ac14b12103e8a15376229a2a7860
6063c8285e13d10eabbe363e2ab0d8748bcd595b470698e0cffee31ba255a566
d1a18b436f947611914ced09e4465b49807cec4f3a62b0973c9017b6d82c9f70
1cdd580176eeb4342a0333b50454da061e473358274e6e543df1411186c12042
ed59a797521db06abdf4c88dad7b1666e5978aaa6670a5952a55b7e11f7b790e
2ceae724f0e96e2d8c47296dd1e73ac592e22ee3288eabf11c8d039c6d6d4f8b
03983b56d8b1a6cc43109f6cd67a13666367595a2ea07766127cb1fe4d4bb1a5
9940da9d02d29489c3e26d27feb15b6f4bbf49547b962592125441917c952f12
fbf967295dac00f1e9cb67e9a40b6729b003dd12cf022eb15d626df09716442d
4e0a96ab28570936d095ac3910dcd239c7ceeb2b38a070468404584f8b902dd1
20009fd157a898ad6d50fae6b8127056c5b1f50e31f90f01d2e6c13e6b4c38f8
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and thinks highly of Recorded Future. Red Sky agrees with providing as much intelligence to an analyst as possible and believes our data sets and services can help augment what RF provides. For questions, comments or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.fortinet.com/blog/threat-research/zeus-stealer-distributed-via-crafted-minecraft-source-pack?lctg=141970831
Comments