Zeus v2.0.8.9 being rolled out on IRS themed spam

We analyzed following malicious attachement which was distributed with IRS themed spam May 14 2012:

Name: Plexer_Order-z9284
MD5: e807511362923762da627599daeeba65
Size: 21,54,749 bytes
Content: Plexer_Order-z9284.exe

This zip archive contained the following malicious dropper:

Name: Plexer_Order-z9284.exe
MD5: 3c8b1a1c45fbb93e93dbde75795c21bd
Size: 21,84,348 bytes
Timestamp: 1970:01:01 01:00:49+01:00
Company Name: NEW ORDER 2012 FOR VIEW PLEXR
File Description: Win32 Cabinet Self-Extractor
File Version: 9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
Internal Name: Wextract
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: WEXTRACT.EXE .MUI
Product Name: Plexer Order Viewer 2012
Product Version: 56.0.89.3
Comments: NEW VERSION ORDER 2012 FOR VIEW PLEXR
Website: http://www.avira.com
Packager: Xenocode Postbuild 2009 for .NET Beta
Packager Version: 7.0.162

This dropper first installs Google Talk on the system and brings Google Talk window on top of desktop. Behind the scene, it installs Zeus v2.0.8.9. Zeus was intalled in %APPDATA%/[random]/emta.exe and had following file properties:

Name: emta.exe
MD5: bbdeabff13e565e187e0e85fcb1e732f
Size: 95,744 bytes
Tmestamp: 2011:07:27 04:06:30+02:00

Like normal Zeus, it first downloads configuration file consisting of targetlist and webinjects from:

hxxp://kmginsights.com/upload/LoadhandlerImages_/y/config.bin

Zeus dropzone was also running on same domain at:

hxxp://kmginsights.com/upload/LoadhandlerImages_/y/gate.php

This Zeus controller was running on a compromised website of KMG INSIGHTS who offers a complete line of marketing, technology and organizational consulting services.

Russian, Spanish, Italian and UK banks and financial institutions were on the target of this Zeus controller.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: