Decoding ZeuS Disguised as an RTF File

In a recent blog post, Ronnie Tokazowski – senior researcher at PhishMe warns of a nasty phishing email currently circulating.

Ronnie warns, “I came across a particularly nasty looking phishing email that had a .doc attachment. At first when I detonated the sample in my VM, it seemed that the attackers weaponised the attachment incorrectly. After extracting and decoding the shellcode, I discovered a familiar piece of malware that has been used for some time.” Ronnie identified that the originating IP address is 212.154.192[d]150. The reply-to field is also interesting, as this is the address of a long-time 419 scammer.

Having investigated the message, Ronnie describes it as a ‘Camel case’ – changing the casing of things is one way to help bypass AV or other signature detection.
Looking at its malicious payload, he concludes, “Based off of the shellcode and other artifacts of the code, this is associated with CVE-2012-0158 – an older but very reliable exploit. The malware installs to the following directory: C:\Users\ \AppData\Roaming\Ritese\quapq.exe. From a forensics perspective, searching for exe files in this directory or the Roaming directory are golden, as this shouldn’t happen. For the malware on the network side of things, it makes many requests to ‘file.php’ and ‘gate.php’. The IP address of 116.193.77[d]118 is also listed on ZeuS tracker. Even though CVE-2012-0158 is three years old, attackers are still using it to this day. Even once they obfuscate these documents, it’s still possible to get back to their true intentions.”

You can see Ronnie’s blog in its entirety
here: http://phishme.com/decoding-zeus-disguised-as-an-rtf-file/

(652)

Share