Malware's most wanted-zberp-the_financial_trojan
-
Upload
cyphort -
Category
Technology
-
view
808 -
download
3
description
Transcript of Malware's most wanted-zberp-the_financial_trojan
ZBERPInside a Financial Trojan
Your speakers today
Marion MarschalekSecurity Research Expert
Shelendra SharmaProduct Marketing Director
Agenda
o What is ZBERPo Dissecting the malwareo Wrap-up and Q&A
Cyph
ort L
abs
T-sh
irt
Threat Monitoring & Research team
________
24X7 monitoring for malware events
________
Assist customers with their Forensics and Incident Response
We enhance malware detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the security ecosystem
________
Contribute to and learn from malware KB
________
Best of 3rd Party threat data
Banking Trojans
How Malware Became Greedy
ZeusCitadelSpyEyeZitMoZeusVM/KINSCarberp... Zberp!
Source: https://www.mobigyaan.com
ZeusCitadelSpyEyeZitMoZeusVM/KINSCarberp... Zberp!
Source: https://www.mobigyaan.com
Source: https://zeustracker.abuse.ch/
ZeusVM / KINS
o Born December 2011o Sold as a kit since 2013o Heavily based on Zeus code
http://blog.fox-it.com/2013/07/25/analysis-of-the-kins-malware/
There Is No Honor Among Thieves
KINS + Carberp = Zberp?
Code injection
Hooking technique
Infection routine
VM code
Steganografic configuration
ZBERP
How Zeus and Kins and Carberp Merged
What Makes ZBERP
o Steganography o Invisible persistenceo SSL CnC Communication o VMProtect Featureo New Hooking implementation
System Infiltration
1. Drop executable in users %APP% folder
2. Create and execute a batch file to delete dropper
3. Maintain registry key for persistence
4. Inject payload to system processes
5. Download customized configuration
System Infiltration
1. Drop executable in users %APP% folder
2. Create and execute a batch file to delete dropper
3. Maintain registry key for persistence
4. Inject payload to system processes
5. Download customized configuration
ZEUS
1. Grab next opcode
2. Call opcode handler
Virtual Machine Code Execution
1. Grab next opcode2. Call opcode handler
Virtual Machine Code Execution
KINS
Steganographic Configuration
Steganographic Configuration
Steganographic Configuration
KINS
Invisible Persistence
Thread for managing autorun key
...
Invisible Persistence
Thread for managing autorun key
...KINS
Code Injection Technique
Suspend – Inject – ResumeExecutable injection
Code Injection Technique
Suspend – Inject – ResumeExecutable injection
CARBERP
„Man-in-the-browser“
ZBERP
„Man-in-the-browser“
Key Take-awaysHow to Stay Safe
Critical Questions
Zeus first appeared in 2007 – why are its derivates still so successful?
What is compromised on an infected machine?
How can mitigation be achieved?
Zeus‘ Success
Modularity.
Flexibility.
Persistence.
Potential Data Loss
Digital Identities
Critical Browser Data
Media
Sensitive Documents
Anything the botnet operator desires!
Conclusions
o Don’t underestimate Zeus and its descendants.
o Check for presence of unfamiliar network callbacks.
o Use a professional grade APT solution to detect these Trojans.
Q and A
o Information sharing and advanced threats resources
o Blogs on latest threats and findings
o Tools for identifying malware
Thank You!