A descendant of the infamous Zeus banking trojan, dubbed Silent Night by the malware’s author, has emerged on the scene, with a host of functionalities available in a spendy malware-as-a-service (MaaS) model.
Custom builds can run as much as $4,000 per month to use, which researchers say is now placing the code out of the range of any but large cybercriminal groups looking to mount mass campaigns.
“The price tag is steep, especially for the Russian audience [to whom it is marketed], where 500 USD is an average rent for a small 1 bedroom apartment in the outskirts of Moscow,” Malwarebytes researchers said.
Silent Night is advertised with a host of features, according to a Thursday analysis from Malwarebytes. These include: Web injections and form grabber with support for Google Chrome, Mozilla Firefox and Internet Explorer; proxy services via HiddenVNC and SOCKS5; keylogger for browser activity; the ability to take screenshots; cookie stealer for Chrome, Firefox and IE; and a password-stealer for Chrome.
The ad also lists “protective gear” to make analysis more difficult, consisting of a unique custom obfuscator that the author said “morphs all code and encrypts strings and all constant values in the code.”
According to researchers, all of the malicious modules are obfuscated.
“The characteristics of the obfuscation indicates that it has been applied on the source-code, pre-compilation,” according to the analysis. “It contrasts with most malware, where the only protection is the layer added post-compilation, with the help of a crypter/protector. Each release of the bot contains randomized obfuscation. Although the resulting code is different, yet the patterns are similar every time. This indicates that the same code obfuscator was used for each release, and the generated obfuscation artifacts are being randomized on each use.”
Infection Routine Links to Terdot
The sample in circulation observed by Malwarebytes is a fairly new binary (a 1.0 version was compiled at the end of November 2019), which the firm said is an initial dropper. This first stage simply fetches the core malicious module from a command-and-control (C2) server and injects it into various running processes on an infected machine. Once the core bot is loaded and run, it then establishes its own connection with the C2, and downloads further encrypted modules that each represent one of the functions listed above. It also runs a thread that is responsible for data exfiltration.
Interestingly, Malwarebytes researchers found that there are several code overlaps with another Zeus variant known as Terdot, starting with the fact that the core module is downloaded from the C2 and kept in encrypted form. Also, the way both banking trojans attack browsers has significant overlap, including using the exact same browser hook, and using the same implementations.
“The bot has been designed using the Zeus code as a template, yet, a lot of work has been put into its modification and modernization,” according to the analysis. “Conceptually, it is very close to Terdot, yet rewritten with an improved, modular design. We don’t have enough data to say if the author of Silent Night was previously involved in developing Terdot, or just got inspiration from it. What we can say is that not all similarities among those two come from the common ancestor, Zeus.”
Notably, it deviates from another Zeus variant known as Sphinx, which is not multistage; it doesn’t need to download the main component but rather contains its functions inside the initial executable.
“This is a very different model than in case of Silent Night, where each and every module is downloaded from the C2, and then kept in a separate, encrypted file,” researchers noted.
Distribution
Researchers first saw the sample in December being dropped by the RIG Exploit Kit in small campaigns that appeared to be used for testing purposes – and it evolved from there.
“The spreading intensified over time, and the distribution switched to mostly phishing emails,” according to the report. “In March 2020, it was delivered in a COVID-19 themed spam campaign, as reported by Vitali Kremez…later, spam with the invoice template started to be used.”
However, the distribution vector has varied over time, likely because the campaigns are probably run by third parties (the clients who rented the malware), researchers said. For instance, the spam emails initially typically featured attached Word documents containing malicious JavaScript. In this format, users are prompted to “enable the active content,” which then executes the malware. But then, one large campaign was reported in late April that used Excel Sheets with macros embedded on a VeryHidden XLS sheet, researchers noted.
“After forcing the hidden sheet to be displayed, we can see the commands in the cells: They were downloading the malicious loader from the embedded URLs,” according to the report.
And yet another variant of the attachment was a VBS script, where Silent Night was embedded directly, in obfuscated form.
“Based on the analysis of the bot’s configurations, we may confidently say that there is more than one customer of the Silent Night,” according to researchers. “However, comparing the frequency of new builds (based on the variations of the config files) and the different level of sophistication between the actors, we can say that some users are more proficient than others.”
Attribution
Silent Night was announced on November 9 in a Russian-language underground forum, according to the analysis, being sold by a threat actor going by the handle “Axe.”
Axe said that he had spent five years developing the code, albeit with Zeus as the foundation (Zeus’ source code was leaked back in 2011). He also said that he went off of previous development experience with another banking trojan (likely one known as “Axebot,” according to Malwarebytes).
“A few years prior: My previous banking trojan had a lot of issues and was hard to maintain because of the poor architecture and C-code,” according to the advertisement seen by Malwarebytes. “The best course of action was to rewrite the whole thing, and I have done just that. The development took a few years, and I went through a couple of iterations. Finally, with the experience learned from the first version and all the customers’ feedback, I was successful at making the ideal banking trojan.”
This is perhaps the justification the seller has for charging a whopping $4,000 per month for a customized build. With the higher price tag also comes a weeding out of users, the firm added.
“The design of Silent Night is consistent and clean, the author’s experience shows throughout the code,” researchers wrote. “We predict with moderate confidence an evolution of the bot from something that anyone with a budget can buy, into a vehicle for one group to conduct banking theft at scale.”
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.