zEus Stealer

12491450887?profile=RESIZE_180x180Many game makers allow users to alter a game's appearance or behavior to increase its enjoyment and replay value.  Players can often also download packages created by others.  However, this is also a chance for attackers to distribute their malware. The below report examines a batch stealer distributed via a crafted Minecraft source pack.

The zEus stealer malware has been added to a source pack shared on YouTube. The name—zEus—is from a previous variant of this malware. The variant (d9d394cc2a743c0147f7c536cbb11d6ea070f2618a12e7cc0b15816307808b8a) is also distributed via a Minecraft source pack, but it’s embedded in a WinRAR self-extract file.  

The self-extract file mimics a Windows screensaver file.  It runs the stealer and opens the image used as a file icon.  

It is an image from the Internet with the string “zEus” added.  This name is also found in a profile of the Discord webhook receiving stolen data.[1]
12491454452?profile=RESIZE_710xFigure 1: The string on the icon of the inserted file

12491454852?profile=RESIZE_710xFigure 2: The author’s name of the webhook is zEus

Infection Vector - When a victim executes the zEus stealer, it checks whether it is being analyzed.  If not, it collects sensitive information and drops script files to make the attack more flexible.  The zEus stealer creates folders in C:\ProgramData to save stolen data and malicious script files.

12491454863?profile=RESIZE_710xFigure 3: Attack flow

12491454870?profile=RESIZE_584xFigure 4: Aetherium.bat was added to an existing pack

Anti-analysis - zEus checks whether it is being analyzed by comparing the computer name and currently running processes with blacklists.

Computer name blacklist:

WDAGUtilityAccount, Abby, Peter, Wilson, hmarc, patex, JOHN-PC, RDhJ0CNFevzX, kEecfMwgj, Frank, 8Nl0ColNQ5bq, Lisa, John, george, PxmdUOpVyx, 8VizSM, w0fjuOVmCcP5A, lmVwjj9b, PqONjHVwexsS, 3u2v9m8, Julia, HEUeRzl, BEE7370C-8C0C-4, DESKTOP-NAKFFMT, WIN-5E07COS9ALR, B30F0242-1C6A-4, DESKTOP-VRSQLAG, Q9IATRKPRH, XC64ZB, DESKTOP-D019GDM, DESKTOP-WI8CLET, SERVER1, LISA-PC, JOHN-PC, DESKTOP-B0T93D6, DESKTOP-1PYKP29, DESKTOP-1Y2433R, WILEYPC, WORK, 6C4E733F-C2D9-4, RALPHS-PC, DESKTOP-WG3MYJS, DESKTOP-7XC6GEZ, DESKTOP-5OV9S0O, QarZhrdBpj, ORELEEPC, ARCHIBALDPC, JULIA-PC, d1bnJkfVlH, QDAVNJRH

Program blacklist:

httpdebuggerui, wireshark, fiddler, vboxservice, df5serv, processhacker, vboxtray, vmtoolsd, vmwaretray, ida64, ollydbg, pestudio, vmwareuser, vgauthservice, vmacthlp, x96dbg, vmsrvc, x32dbg, vmusrvc, prl_cc, prl_tools, xenservice, qemu-ga, joeboxcontrol, ks dumper client, ksdumper, joeboxserver

Information Stealing - The zEus stealer grabs a wide range of information.  It creates individual text files for each piece of information and saves them to corresponding folders.  The folders for stolen information are in C: \ProgramData\STEALER, including the PCINFO, IPINFO, HARDWARE, BROWSERS, STEAL, LDB, and SESSION folders.

PCINFO - This folder contains two folders: IPINFO and HARDWARE. zEus looks up the victim’s IP address and related details using the online tools My External IP, ipapi, and ip-api.  The results are saved as text files in the IPINFO folder. Using the IP address, zEus queries for further information from the tools, including the internet service provider, location details such as city, longitude, and latitude, and postal code.  In addition, it collects the status of whether the victim is using a proxy server and if a mobile network is being used.

12491454880?profile=RESIZE_584xFigure 5: The data from online tools is saved to the IPINFO folder

Next, zEus uses command-line utilities and PowerShell to collect hardware information and saves the results in the HARDWARE folder, including currently running processes, OS version, product key, hardware ID, system configuration, installed programs, and WIFI password.

BROWSERS - zEus copies files for login data and user preferences from the browsers’ profile path and stores them in corresponding folders.  Below are the target browsers:

Chrome, Opera, Brave, Vivaldi, Edge, Firefox

From these browsers, it grabs files for login data and an encryption key for a password (if necessary). It then steals cookies, history, shortcuts, and bookmarks.

STEAL - This folder contains login data copied from the following software:

Steam, osu!, Roblox, Growtopia, Discord

The files are mostly copied from the software’s data path.  In addition, zEus also searches for discord_backup_codes.txt in the Downloads folder.  Discord_backup_codes.txt contains backup code that helps users log in when they lose their devices for multi-factor authentication (MFA).  As a result, the zEus stealer tries to get the backup code from a default location for downloaded files.

LDB - The LDB folder only stores .ldb files copied from %appdata%\discord\Local Storage\leveldb.  From these .ldb files, the attacker can extract Discord tokens containing account and password information and then log into the victim’s account.

SESSION - zEus also copies various data from the following path to the SESSION folder.  Not only do these files contain credentials, but the attacker also collects information about the victim.  For example, it copies the Logs folders from the parent folder of EpicGamesLauncher, which contains debug logs about EpicGamesLauncher.  Additionally, it copies the parent folders of game companies like Battle.net and Electronic Art.  With this knowledge, the attacker can know which games are popular with the victim and how to disguise the malware to achieve the next attack.

Software

Path

Battle.net

%appdata%\Battle.net
Exclude strings: BrowserCache, Cache

Electronic Arts

%localappdata%\Electronic Arts

Epic Games

%localappdata%\EpicGamesLauncher\Saved\Config
%localappdata%\EpicGamesLauncher\Saved\Data
%localappdata%\EpicGamesLauncher\Saved\Logs

Telegram

%appdata%\Telegram Desktop\tdata
Exclude strings: config, dumps, tdummy, emoji, user_data, webview, *.json

Minecraft

%userprofile%\.lunarclient\settings\game\*.json
%appdata%\.minecraft\*.json

Proton VPN

%localappdata%\protonvpn

Ubisoft

%localappdata%\Ubisoft Game Launcher

zEus stealer also drops KEYWORDSEARCHER.bat and Keyword.txt to the STEALER folder.  The batch file helps users search for keywords they want in a folder, and the text file is its README.  After data collection, the STEALER folder is compressed into a zip file—STEALER.zip—and deleted.  KEYWORDSEARCHER.bat and Keyword.txt are not used by the zEus stealer.

Finally, zEus organizes the attack result and sends it with STEALER.zip attached.  The result shows whether it has successfully stolen the items that should be in the STEALER folder, along with the following information:

Execution date, user name, computer name, processor, anti-virus software, clipboard content, installed XBOX games, cryptocurrencies, sensitive files

zEus stealer also checks whether the victim uses any of the following cryptocurrencies:

Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, AtomicWallet, Guarda, Coinomi

It also searches the Downloads folder for files whose names contain one of the following keywords: 

2fa, mdp, motdepasse, mot_de_passe, login, seed, key, data, db, password, secret, account, acount, paypal, banque, metamask, wallet, code, exodus, memo, compte, token, backup, recovery

These keywords are related to login mechanisms, such as 2FA (two-factor authentication), seed, and key. Some French keywords also mean password, bank, and account. 

12491454691?profile=RESIZE_400xFigure 6: A part of the attack result

Features in Dropped Files - Apart from information stealing, there are features performed by the script files that are dropped to C:\ProgramData\{ComputerName}:

Feature

Filename

Kill Task Manager

debugerkiller.bat

Send Screenshot

Screen.bat

Screen Lock

SYSTEMLOCK.bat, configSYSLOCK.vbs, bsod.hta

Chat Box

CHATBOX.bat

C2 Communication

RAT.bat, COMMANDS.txt, HISTORY.txt

Among these files, debugerkiller.bat, Screen.bat, and RAT.bat are executed immediately, and their paths are registered under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to achieve persistence.  To avoid suspicion, the names of Windows system files and folders are used as the value name.

12491455667?profile=RESIZE_710xFigure 7: Key values for auto-run

Kill Task Manager - zEus stealer drops debugerkiller.bat and obscures its execution to keep terminating Task Manager.  This is set to auto-run to ensure the screen lock mechanism works.

12491455853?profile=RESIZE_400xFigure 8: Code in debugkiller.bat

Send Screenshot—zEus drops Screen.bat to send a screenshot to the webhook every five seconds. This is executed automatically at startup to monitor the victim’s computer.

Screen Lock - SYSTEMLOCK.bat and configSYSLOCK.vbs are dropped to perform this task. configSYSLOCK.vbs is the launcher for SYSTEMLOCK.bat.  The attacker can execute configSYSLOCK.vbs via C2 communication. SYSTEMLOCK.bat pops up a message box telling the victim not to restart the computer and closes explorer.exe to stop the victim from interacting with most Windows items.  The SYSTEMLOCK.bat then executes bsod.hta, which it dropped to the ProgramData folder.  This HTA file just shows a full-screen blank window.  However, debugkiller.bat prevents the victim from opening Task Manager, so most well-known methods to stop a program are blocked.

Chat Box—CHATBOX.bat is dropped to allow the victim to send the attacker at most five sentences. This can be executed via C2 communication.

12491455878?profile=RESIZE_710xFigure 9: The chat box for the victim

C2 Communication - zEus stealer drops RAT.bat to build C2 communication.  RAT.bat downloads command-line instructions from onlinecontroler[.]000webhostapp[.]com to COMMANDS.txt.  If the instruction is not duplicated, it will be executed, and the result will be written to HISTORY.txt later.  The executed instruction is sent to the attack’s webhook to show the current situation.  In addition, special messages for the screen lock and chat box help the attacker with troubleshooting.  RAT.bat is set to auto-run to control the computer continuously.

12491455691?profile=RESIZE_710xFigure 10: The message for the screen lock

Conclusion - zEus stealer has a relatively simple attack flow, but it collects a wide variety of information that provides data for the next attack and contributes to social engineering.  This is a reminder about the dangers of downloading and using files from an unknown source.  Even a source pack, usually loaded by the software, can be a carrier for malware.  In addition to only downloading files from reputable sources and checking reviews of a file and author, FortiGuard Labs recommends enabling MFA as an additional protection layer.  MFA prevents unauthorized account access if a password has been compromised and can also alert users to unusual account activities. We also recommend subscribing to a service like FortiRecon that automatically scans the web for leaked data.

IOCs

C2 Server

  • onlinecontroler[.]000webhostapp[.]com/
  • panel-controller[.]000webhostapp[.]com/

 

Discord Webhooks

hxxps[:]//discord[.]com/api/webhooks/1212818346157015070/2v0xe2vrxFGv65
MRE9qvICmsJw-5e_pq_28xscGybiY1ScEyEiSKMC_zFffr3KkuAimX

hxxps[:]//discord[.]com/api/webhooks/1212821302671581224/L30ylYucowXO_
rm7sUpdwA8DLbYet6NyvUsNV60EP1o1HnF-2M-UPsvatVGQY0ctO9Vk

hxxps[:]//discord[.]com/api/webhooks/1212818346157015070/2v0xe2vrxFGv65
MRE9qvICmsJw-5e_pq_28xscGybiY1ScEyEiSKMC_zFffr3KkuAimX

hxxps[:]//discord[.]com/api/webhooks/1212821302671581224/L30ylYucowXO_
rm7sUpdwA8DLbYet6NyvUsNV60EP1o1HnF-2M-UPsvatVGQY0ctO9Vk

hxxps[:]//discord[.]com/api/webhooks/1212818346157015070/2v0xe2vrxFGv65
MRE9qvICmsJw-5e_pq_28xscGybiY1ScEyEiSKMC_zFffr3KkuAimX

hxxps[:]//discord[.]com/api/webhooks/1216834085205311708/2Rx-yUIHeCnuhu
Lskpz25Ghf-YWeP6Si6oiUSN4SMQYNkeJfVJiYNC4Xy_Oj0ZNQ1qTC

hxxps[:]//discord[.]com/api/webhooks/1117543783714787458/U_DdPjJm7rM7Q
2asPiMISLTrbd3oGw3oVQ25_XU37HCmM6QIQ804SJAH4_h0AT2Vr_cv

hxxps[:]//discord[.]com/api/webhooks/1191890861622050848/iJVVE3x3xilf4Te
ZNiERydXZPF5TRE1UhM4Ew06uHn95b0k0KDViw3YnhdynrXn17OKa

hxxps[:]//discord[.]com/api/webhooks/1215746939635892344/CmKTGdIvizEpR
4FgvvLJm3Bcbjg3AKlNGlwd2S-yIO-GRBXZZbn0OwG39kKnx7mDur4T

hxxps[:]//discord[.]com/api/webhooks/1223978005127364659/3E0hHtDqDOHQ
JBaG8ifspilk2mY8E1s4KeQY36inBq-tq5q6aZex8U0YJVxVlloFJj5X

hxxps[:]//discord[.]com/api/webhooks/1224075124005929020/kA4IFZrIXBl_d1Y
4I0sMHhF1cZzXvC-yEo5HzSk6Jzq_I0k1PCc1idn4FmqSC2UMljdD

Files

aabfbef31ab073d99c01ecae697f66bbf6f14aa5d9c295c7a6a548879381fb24

c9687714cf799e5ce9083c9afa3e622c978136d339fc9c15e272b0df9cd7e21c

d9d394cc2a743c0147f7c536cbb11d6ea070f2618a12e7cc0b15816307808b8a

c2c8a7050b28d86143f4d606a6d245b53c588bc547a639094fce857962246da4

be9ea302bcfb52fbfdf006b2df8357388cd4c078059aabc5b5928676c3361e50

9d3409852348caa65d28e674008dd6bb986eed4fb507957c7a8b73a41e00be70

b6e8b612e99c54dd98af1756f7c9b8a8c19e31ed9b2836878c2a5144563ff1b2

8a2f6d5f6cf7d1a7534454e3c3007337b71d7da470e86f7636eb02d68b2db8cc

df6156fdbbcc7b6f8c9cb4c5c1b0018fc3f1e1ca7d949b5538ec27dc86d026a4

5840f3e43a0c635be94b5fbf2e300d727545371b582361a52682b4a9e08bcebd

51ede75315d858209f9aa60d791c097c18d38f44b9d050b555ff1f4de0ae672d

d1865d2aaf11e3f8bccefe9c4847510234f14aaa5378ce9e8e97553537cf2ca1

9ba19d614af029c3c198b576ccdf1de87d80ac14b12103e8a15376229a2a7860

6063c8285e13d10eabbe363e2ab0d8748bcd595b470698e0cffee31ba255a566

d1a18b436f947611914ced09e4465b49807cec4f3a62b0973c9017b6d82c9f70

1cdd580176eeb4342a0333b50454da061e473358274e6e543df1411186c12042

ed59a797521db06abdf4c88dad7b1666e5978aaa6670a5952a55b7e11f7b790e

2ceae724f0e96e2d8c47296dd1e73ac592e22ee3288eabf11c8d039c6d6d4f8b

03983b56d8b1a6cc43109f6cd67a13666367595a2ea07766127cb1fe4d4bb1a5

9940da9d02d29489c3e26d27feb15b6f4bbf49547b962592125441917c952f12

fbf967295dac00f1e9cb67e9a40b6729b003dd12cf022eb15d626df09716442d

4e0a96ab28570936d095ac3910dcd239c7ceeb2b38a070468404584f8b902dd1

20009fd157a898ad6d50fae6b8127056c5b1f50e31f90f01d2e6c13e6b4c38f8

 

This article is shared at no charge and is for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and thinks highly of Recorded Future.  Red Sky agrees with providing as much intelligence to an analyst as possible and believes our data sets and services can help augment what RF provides.  For questions, comments or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424

 

[1] https://www.fortinet.com/blog/threat-research/zeus-stealer-distributed-via-crafted-minecraft-source-pack?lctg=141970831

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!