ZeusVM and steganography

Months ago, researchers observed an evolution of ZeusVM, time to get back on this family.

For informations,
The first ZeusVM sample i've seen using steganography was the 21 November 2013.
The IP of the C&C have Russian origin: 212.44.64.202
A Sutra TDS who redirect on Nuclear Exploit pack was pushing the payload, Roman of abuse.ch blacklisted 212.44.64.202 one month later on his Zeus tracker.

The first guy who publicly wrote about ZeusVM change is probably Jerome Segura of Malwarebytes.
Actually the latest version i've saw in the wild is 1.0.0.5, and if you want a hash: e4c31d18b92ad6e19cb67be2e38c3bd1 (sample is fresh of today)

Let's have a look on the first server that i've see now... 212.44.64.202.
Pony, Multilocker, Mailers, Grum and an older version of ZeusVM (without steganography) was also hosted on this server but that not the topic.

The filename of login scripts and ZeusVM configs were hardnamed in russian, like:
borodinskoesrajenie.jpg (http://en.wikipedia.org/wiki/Battle_of_Borodino)
vhodtolkodlyaelfov.php (only elves can enter)
logovoelfov.php (elf's den)
domawniypitomec.php (domestic animal)
jivotnoe.php (animal)
larecotkryt.php (the chest is open)
And so on.. overall the panel design seem back to the original zeus style (not like the previous 'generation' of ZeusVM with casper)

/kec/:

/luck/:

/ass/:

/kbot/:

/ksks/:

/one/:

/two/ (unused):

/three/ (unused):

/four/ (unused):

Now, for decoding those ZeusVM images, as described by Jerome, you just need to strip the image and do the following: Base64+RC4+VisualDecrypt+UCL Decompress

Here are some 'malicious' image from 212.44.64.202:
mix.jpg:
mix.jpg:
mix.jpg:
mix.jpg:
config.jpg:
kartamestnosti.jpg:
webi_test.jpg:
uwliottrekera.jpg:
 test_vnc2.jpg:
x64hook.jpg:

Some configs was done for tests:

And some wasn't for test, targeting banks with MiTB.
Malicious code injection, on a ZeusVM botnet targeting France:

Lame webinject:


CCGRAB:
ATSEngine:

Nowadays more actors start to use ZeusVM, like the group who was using the 'private' version of Citadel 3.1.0.0 and the group who was targeting Japan.
Both switched on ZeusVM as alternative of Citadel.

You can find the samples related to 212.44.64.202 with config and decoded here:
http://temari.fr/vx/ZeusVMs_212.44.64.202.7z

Some other ZeusVM samples (not related to 212.44.64.202):
http://temari.fr/vx/ZeusVMs_v1.0.0.2_v1.0.0.5.7z





root/root