FoxIT Whitepaper Blackhat Web

Mapp .
: 21:03:23 03.03.2014 +04:00.
Principal Security Expert

: builder.exe <> -< 1> -< N>
GameOver ZeuS
build Build bot or(and) configuration.
Michael Sandee
-nologo .
This whitepaper accompanies our presentation at Blackhat US 2015
Backgrounds on the Badguys and the Backends
-bid:[number] Numeric ID of botnet, 0 - if this is update.

-kbucket:[file] K-Bucket file, URL or single ID@IP:Port.
-config:[file] Source configuration file.
Fox-IT
-private _ key:[file] Private key file of botnet.
-subbotnet:[name] Override subbotnet name (form configruation) with this name.
-obot:[file] Output executable file of bot.
-oconfig:[file] Output configuration file of bot.
-toupdate:[file] Convert PE-file to update of bot (mark, encrypt and sign). File will be converted
-oproxy:[file] Output proxy data file of bot.
-sfile:[file] Sign file. File will be signed in place.
dht DHT operations.
-nologo .
-put _ config:[file] Put configuration data to every node.
-put _ update:[file] Put update data to every node.
-put _ proxy:[enable/disable] Enable or disable private proxy data for every node.
-ping Ping every node.
-enum _ text:[file] Enumeration of all the nodes in the network to text file.
-enum _ binary:[file] Enumeration of all the nodes in the network to binary file (NODE _ DATA _ SHORT).
plugin Manage plugin
-nologo .
-input:[file] Source DLL file.
-output:[file] Output plugin.
This whitepaper accompanies the talk GameOver ZeuS:
Badguys and Backends on Blackhat in Las Vegas, August5,
2015. The presenters are Elliott Peterson of the FBI,
MichaelSandee of Fox-IT and Tillmann Werner ofCrowdstrike.
This paper describes the history of the ZeuS malware and also the background of
the GameOver ZeuS group, which has operated for well over five years. Throughout
this paper there are sections discussing the ZeuS origin, group composition,
methods for fraud, and origin of fraudulent beneficiaries. Additionally, we will be
discussing a much lesser known side of peer-to-peer ZeuS: its use for espionage.
Throughout this paper, we refer to acronyms or names commonly used in the

malware research world. The reader will require some specialist knowledge of
malware, especially the workings of financial malware, to understand the full scope
of this document.
GameOver ZeuS, GOZ, peer-to-peer ZeuS, P2P-ZeuS and ZeuS3 are analogous to
each other and refer to a ZeuS based malware family, which was active in the wild
from September 2011 till May 2014. When we refer to the GameOver ZeuS group
or peer-to-peer ZeuS team, we mean the group that operated around this specific
malware variant and its predecessors.
Slavik is the nickname of the author of ZeuS, his real name is Evgeniy Bogachev.
Slavik was indicted by the FBI in June 2014. Over the years, he used many different
nicknames, however people close to him would still call him Slavik.
This paper would not have been possible without the help and hard work of my dear
friend and colleague, Frank Ruiz. I would also like to thank all of my colleagues at the
InTELL team at Fox-IT and our Senior Management for supporting our work.
2 | fox-it | The Background of GameOver ZeuS | July 2015

Management Summary
In June 2014, the news of a Law Enforcement led operation
targetingGameOver ZeuS was announced. In addition to action
againstthe malware itself, the author named Evgeniy Slavik
Bogachevwas indicted.
Although Slaviks endictment was over a year ago, he While the group was directly associated with the
is yet to be apprehended. An award of 3million dollars GameOver or peer-to-peer ZeuS malware, it had
has been announced for information that will lead to migrated from the previous ZeuS 2.1.0.X variants, and
his capture. even prior to that worked together simply utilizing the
kit malware of ZeuS. While in the beginning the group
The GameOver ZeuS group was a crime ring that was based more on a supplier-consumer relationship
focused on various financial frauds, most notably within the underground, over the years it grew into a
corporate banking account takeovers, with an well oiled fraud machine.
estimated 100 million dollars of losses attributed
to the group. However it is likely that the amount is During our research of GameOver ZeuS, we
higher, as the group targeted banks and victims in encountered a number of search commands that were
many different countries and has operated for many looking specifically for information regarding Foreign
years, going back to at least 2009. No aggregate Intelligence services in Georgia, Turkey and Ukraine.
numbers of fraud losses attributed to GameOver ZeuS This is rather unusual to find in financial malware, and
over this period are available, as there was not a single has fed speculation it could be one of the reasons
long running international investigation that collected why Slavik has so far been able to evade capture.
information on this. Thesearch commands were found in 2013 and 2014,
but actually it was found that the activity likely even
One of the methods of fraud that was started in the predated the start of GameOver ZeuS in 2011 and was
last year of the GameOver ZeuS, between 2013 and also executed from the ZeuS 2.1.0.X versions.
2014, was the CryptoLocker ransomware, which was
a simple way of extorting money from victims by Overall, due to the size of the group, the amount
encrypting their files and demanding money for the of activity and the global scope of the attacks, this
key. About 3 million dollars in money was paid to the investigation was a long and complex one. And while
operator of CryptoLocker, which was Slavik (and his the attacks were relatively simple, the international
affiliates), who also was the author of ZeuS. character of the frauds committed made the
investigation and prosecution a complex task.
The group itself, which called itself business club,
consisted of over 50 individuals who were involved
in the various aspects of fraud. This included the
fraudsters themselves, the persons recruiting and
arranging mule accounts, the technical support team
and various third party suppliers of other crimeware
kits that could be utilized by the group. The group
waswell organized and was led by Slavik and one
otherindividual.
fox-it | The Background of GameOver ZeuS | July 2015 | 3

ZeuS history and ecosystem
The ZeuS malware has existed for nearly a decade, and The modifications can be relatively simple, such as
has been one of the most popular and versatile tools displaying extra input fields during the login process,
used in the underground. While initially used solely by allowing the fraudsters to then use that information
actors in the Eastern European and Russian regions, to execute attacks on the site itself with the additional
typically amongst those speaking Russian, it has credentials, or use the information to enroll victims
quickly been adopted by actors all around the globe. for other services or abuse other services that could
be easily monetized. The other end of the scale is
While ZeuS is a versatile malware kit that can be injecting entire javascript frameworks that were
used for a variety of purposes, its key strength is in utilized to social engineer the victim for information,
browser manipulation through the use of its dynamic and then, on the bank side, automatically inserting and
configuration. This manipulation is achieved by a set authorizing transactions.
of rules that tell the malware on which url pattern to
take which actions. This is known in the underground But ZeuS was not used merely for banking fraud, the
as webinject, and is believed to be named by Slavik. webinjects were only used by one specific group of
Theresult is that pages which are loaded by the people, others used it just as a piece of malware to
browser, regardless of the source being an HTTP or log information that ZeuS collected from victims from
HTTPS resource, can be modified prior to rendering either the keystroke logging, or the built-in POST
bythe browser. data logging, which worked for both HTTP and HTTPS
websites and stored passwords from certain programs
Chronological summary of ZeuShighlights

2005 2006 2007 2008 2009
Back in the period of 2005/2006 Slavik Several years of dramatic growth ensued, In 2010, with a popular alternative to ZeuS,
had created ZeuS, the first publication about with both actual customers but also software named SpyEye, gaining increasing popularity,
ZeuS was made at the end of 2006. piracy leading to hundreds of users of ZeuS Slavik did his disappearing trick and
worldwide, and it soon was the most popular announced he would no longer support ZeuS,
In 2007 the first large scale attacks took place, malware in this space. but that instead the SpyEye author would
that used the ZeuS bank attack configuration support his work.
called webinjects that became the defacto In January of 2009, and likely even earlier,
standard format for bank attacks since then Slavik started working closely together with a Various variants of ZeuS appeared, which
and to this day. It was also one of the first group, named by researchers the JabberZeuS suggested the source code was in the hands of
attacks to use the hybrid attack model to beat group. This group had firsthand access to the multiple people. One variant, introducing new
two factor authentication, an attack which is latest features of ZeuS, but also did feature advanced features requiring indepth knowledge
still used with success to date. requests for specific add-on functionality of the code, was used by the group known as
that helped the group execute frauds. ZeuS JabberZeuS, the variant became known as the
development continued with new additions of Murofet/Licat ZeuS variant. We simply called it
features and increasing version numbers. by its version number ZeuS 2.1.0.X.

like FTP clients. In this way the ZeuS botnet operators of this sometimes be even more successful than the
would collect vast amounts of data from their victims, complicated and advanced attacks. So even from the
which could range from a few megabytes for a small outside an attack can look rather simple, but it all
botnet to many terabytes for GameOver ZeuS. We depends on the capabilities of the attackers to turn an
believe the GameOver ZeuS group had obtained attack into a success.
somewhere between twenty to thirty terabytes of
data over the period of five years from 2009 to 2014. After support for the official ZeuS stopped in late
2010, a number of variants of ZeuS appeared. This
Another often used feature in ZeuS was the ability to number increased after the source code became public
load other malware, which often was affiliate based in 2011, which led to the popular and widely adopted
malware such as clickfraud, or other pay per install ZeuS versions such as Citadel, Ice-IX and KINS. The
type malware. These would allow botnet operators to original ZeuS and variants of ZeuS remained popular
increase revenue from their ZeuS infections. tools that typically were stable and reliable. But since
the disappearance of GameOver ZeuS and also the
As many versions of ZeuS were pirated and thus freely lack of updates for the many variants, popularity has
available, the skillset of the attackers using ZeuS dropped. Recently, other supported malware kits have
varied a lot, hence it was impossible to generalize all been gaining popularity and have taken a lot of market
ZeuS related attacks as sophisticated. Actually the share from ZeuS.
majority of attacks were simple, and would because
2010 2011 2012 2013 2014
In 2011 the source code of ZeuS became public, In spring 2012, Microsoft DCU announced End of May 2014 was D-Day for GameOver
and this was followed by years of ZeuS variants legal action against P2P-ZeuS/GameOver ZeuS, with both a technical takedown of
appearing from small limited distributed ZeuS, which actually did no harm to the infrastructure of both GOZ and Cryptolocker,
variants, to popular widely supported actual P2P-ZeuS botnet, and devalued a lot takeover of the Cryptolocker DGA domains,
competitors, such as Ice-IX, Citadel and KINS. of good research by exposing a large amount and takeover of the peer-to-peer network of
But also variants of ZeuS, that were tailored to of intelligence information. The result was GOZ. Additionally, Slavik (Evgeniy Bogachev)
execute click fraud instead of banking fraud. that a lot of the actors involved with P2P- was indicted.
ZeuS/GameOver Zeus changed their digital
In September 2011, the ZeuS variant known identities, making it hard for many of the One of the interesting fall outs of the operation
to researchers as Murofet/Licat or simply ZeuS researchers to correctly attribute the activity. against peer-to-peer ZeuS / GameOver ZeuS,
2.1.0.X, used by the JabberZeuS group, morphed was the appearance of a new variant of this
into what we now know as peer-to-peer ZeuS, P2P-ZeuS continued to evolve, also the ZeuS after the takedown, without the peer-to-
P2P-ZeuS or GameOver ZeuS (GOZ), named addition of Cryptolocker as a potential payload peer network. It was dubbed newGOZ among
after a C&C gate gameover2.php. for some of the infections was increasing its researchers, however it never rose to the level of
notoriety. The damage done by Cryptolocker sophistication of the original peer-to-peer ZeuS,
was often far greater than the financial and it was likely a trick by the original author
damages. Additionally, Cryptolocker would run to give away the source code and create a
on thousands of systems, encrypting all files, distraction. It was only active for a short while
while financial fraud was only committed on a until it completely disappeared.
small percentage of the systems.

Inside the business club
The group that amongst researchers was known operator who was responsible for managing the GOZ
as the JabberZeuS group, was internally really operations and arranging the backend infrastructure
known as business club. The group used a number through various means. Slavik, however, was no Linux
of communication methods, but most commonly expert, and he hired external expertise for setting up
the businessclub.so jabber server. However most various servers and securing them.
members had a number of jabber accounts and could
communicate with each other through any of them. The support team was there to support various botnet
This included jabber servers of individual teams, which operational systems, which supported maintaining
committed fraud through the managed ZeuS service. or creating botnets by the customers, which included
loaders and exploit kits. The default hybrid token-
The core team of GOZ consisted of two leaders (of grabber attacks, which were optional but included by
which one was Slavik), a support crew and a number default, were supported by a dedicated webinject code
of preferred suppliers. Apart from this core team, a writer. Other items from preferred suppliers were the
number of users that were very close to the core team Blackhole exploit kit and the Psyche/Cutwail spambot.
was involved in troubleshooting and implementing Individual members could opt for their own services
certain features. Slavik was the main technical but also make use of the services provided to the team.
Peer-to-peer network
P2P-ZeuS, even though it used one coherent peer-to- Thiswas quite successful, as for nearly three years the
peer network, had up to 27 different botnets, each botnet remained active with only minor interruptions,
with its own backend instance almost identical to even though it was extremely popular and widespread,
the original ZeuS backend. Note that these 27 also with averaging around 200,000 infections active at
included the debug instances and several botnets any point in time.
which were hardly ever used. Interestingly, many of
these botnets already existed prior to the creation Each backend was managed by a different person
of the peer-to-peer version of ZeuS, and bots from or group, who in some cases had their own jabber
the old 2.1.0.X version of ZeuS were migrated using server to coordinate activity and attacks, apart from
updates to the new peer-to-peer version. the activity organized as part of business club. This
makes it harder to understand the true hierarchy of
The peer-to-peer layer merely functioned as a reliable the group, and one could argue that there is no true
and robust communication mechanism, and a way hierarchy, just a network of suppliers and consumers
tohide the next layers of the infrastructure in order of online crime services.
tobecome more resistant to takedown activity.

High dollar frauds
Business clubs role was not just to be the support a costly operation, as it was also important to make
platform for the P2P-ZeuS malware, but also to sure the accounts were not blacklisted, if they would
serve as a platform to execute the frauds for the have leaked prior to use. The process of using these
hybrid attacks, that were in the standard webinject accounts was orchestrated and planned in great detail,
configuration offered by P2P-ZeuS. Mainly targeting when access was gained to corporate victim accounts
corporate online banking systems. These were both with high dollar, in many cases multi-million dollar,
common mule accounts that were able to handle value.
small amounts of money, and high profile corporate
accounts that were set up with great care to handle The most-used banking malware attack in P2P-ZeuS,
hundreds of thousands to even millions of US dollars. which shipped in most configurations, was the hybrid
Typically these accounts were created in countries like token-grabber attack which was offered by default
China, Hong Kong, Cyprus and Latvia by associates of and was mostly responsible for the high dollar frauds.
the businessclub leadership. Internally, this system was also called the World
Bank Center. The users however could choose to not
Interestingly, while Jabber was used for a lot of the enable these attacks and rather only load their own
communication, both internally and to external attacks (webinjects), which could be for any country
partners and clients, the details of the specialized except Russia, and any type of service, such as online
mule accounts were exchanged over a secured banking, stock trading, creditcard management or
webmail server where non-descriptive aliases were other services where victims would feel compelled
used. Obviously, setting up such mule accounts was tofill in their credentials.
Business club membership

To become a member of the business club there was
typically an initial membership fee and also typically
a profit sharing agreement. Note that the customer
and core team relationship was entirely built on trust.
As a result not every member would directly get full
access, but it would take time until all the privileges
ofmembership would become available.

The Backends
The backends of the GOZ botnets were very similar to the original
ZeuS version, and to the untrained eye the differences would
bealmost unnoticeable. There was also the possibility to create
sub-botnets, which were typically used for tracking infection
campaigns and their performance, just as regular ZeuS botnets.
The differences of the backends were in the settings where jabber notifications were
built in, and technically one of the features was the ability to extract a peer-to-peer
seed list from the list of infected systems. Interestingly, instead of changing the
database, an existing field net_latency was reused without even renaming it, now
serving as field to store the peer-to-peer port a bot was listening on.
The peer-to-peer network was presumably initially intended as a backup mechanism

to recover the network in case of a takedown, later it became the standard way
of communication for everything from the standard command and control and
stolen data channels of ZeuS, but also for the built in attack methods, and some
custom variants of attacks that were added for customers. For this purpose, specific
variables were added to the webinject format, which could be used to reference a
peer-to-peer protected backend system.
Apart from the peer-to-peer network, which was only the first layer, there were
additional layers of proxies, which protected the real IP addresses of the backends
from becoming known. Even the users of the malware would log in to the individual
backends via a proxy, as to not directly expose the backend IP address in case of
an intentional or unintentional leak. However, the last few years GOZ made use
of a high profile bullet proof hoster, which offered servers with a virtual IP address
assigned to it, which was transported from another network using various tunneling
mechanisms.
In some cases these IPs were obtained from cheap VPS systems, in other cases
they were entire netblocks announced via BGP and then transported back to the
ethernet segment where the actual servers were. In case the IP addresses were
cut off, the hoster would simply get a new netblock and assign IPs from the new
netblock to the servers and it would be good to go, this typically took less than a
few business days.

Exclusive access to the boss
The way in which GOZ worked, was that a lot of Apart from the standard bot and standard builder
the functionality to manage the botnet was part of there also was a special bot that had an output file
the peer-to-peer botnet, e.g. sending updates and which contained a list of bots that was used as an
changing the configuration. To perform these actions, initial seed list for the builder. Additionally, there
the builder of GOZ was able to join the peer-to-peer was a special debug build that had the capability to
network using a seed-list and then required an RSA provide detailed debug logging of the peer-to-peer
private key to perform the relevant commands to network to debug any issue, this was used for example
update the bot and configuration. Slavik was the to understand the attacks that security researchers
person who executed these actions. executed against the peer-to-peer network. Typically,
the attacks were thwarted relatively quickly, and
subsequently the bot was hardened to not allow the
same attacks in the future.
Fraud operator groups

Looking at some of the people who were operating were also members of other private malware systems.
the malware, there were individual operators but Again note that there was a total of 27 different
some were groups with more than five members who backends, of which some were unused and some used
worked together to execute fraud. The operators for debugging purposes, however the total amount of
did not exclusively use GOZ, but also other malware members was quite large.
variants. Some were using kit malware and others
Espionage
Some of the more unusual instances of GOZ, were around information from OPEC members, a clear
specific botnets that were not used for typical fraud, sign that the information gathering was not purely
but instead for espionage. One instance focused politically motivated but also quite likely economically.
on Georgia and Turkey, the botnets contained a
number of commands issued to specifically these After the recent political changes in Ukraine, which
countries, with queries which were very detailed, led to a more pro-western government, one botnet
including searches for documents with certain levels which had been previously used for banking fraud, was
of government secret classifications, and for specific then used for a large amount of infections in Ukraine
government intelligence agency employees, and to search for certain types of politically sensitive
information about politically sensitive issues in that information.
region. Additionally, some of the activity revolved

ZeuS binary building and distribution
The ZeuS builder filename was originally zsb.exe, and interestingly, the builder for
peer-to-peer ZeuS has the same name. However, it does not name itself ZeuS, but
instead is called Mapp. But it is hard to find references to that name anywhere
else, which is a common trend amongst malware authors, as it is hard to classify
something which is not known by a very specific name, and researchers will keep
finding new names to describe it, leading to more overall confusion. Whenoperators
talked about this version of ZeuS, they did sometimes called it ZeuS version 3,
although that was likely because they had no better name for it.
Mapp Builder.
Build time: 11:25:53 25.09.2012 UTC.
Usage: zsb.exe <command> -<switch 1> -<switch N>

-nologo Suppresses display of sign-on banner.
-kbucket:[file] K-Bucket file, URL or single IP:UDP Port.
-toupdate:[file] Convert PE-file to update of bot (mark, encrypt and sign). File will be converted in place.
-sfile:[file] Mark PE-file as protected from PE-infection. File will be signed in place.
-mfile:[file] Sign file. File will be signed in place.
dht DHT operations.

-kbucket:[file] K-Bucket file, URL or single IP:UDP Port.
crypt Cryptographic functions.

-newkeys:[bits] Generate new PRIVATEKEYBLOB keys with bits size. Bits can be set from 384 to 16384 in 8-bit
increments.

As we described earlier, the builder has a number of functions, amongst which
one is to build updates with a number of configurable settings, and another is to
communicate with the peer-to-peer network to interact with it in a number of ways,
including distributing configurations and updates. For interaction with the peer-to-
peer network the builder needed a list of seed nodes, specified with the kbucket
option, one such seed file was available on a system that was actually infected with
a specialized version of the malware:
hxxp://95.211.XXX.XX:1800 /kbucket.bin
When we look at the version of the builder from 2014, compared to the version
of2012, we can notice a number of differences:
Mapp .
: 21:03:23 03.03.2014 +04:00.
: builder.exe <> -< 1> -< N>

-nologo .
-toupdate:[file] Convert PE-file to update of bot (mark, encrypt and sign). File will be converted in place.
dht DHT operations.

-nologo .

-nologo .

The newer version of the builder came both with built in rootkit (Nercurs) and new
options, which included crawling the peer-to-peer network, and the inclusion of
support for creating signed plugins from a DLL to load via the C&C server. One
specific plugin that was seen, was a VNC component before the plugin VNC was
actually built into the malware itself.
The crawling of the network resulted in a file with peer-to-peer network unique ids
combined with their IP and peer-to-peer service port. While running the tool would
simply iterate over nodes:
Node ID: aafd746a948c3dd249b1a6eb127399bd35f6258c.

UDP: 79.184.108.58:1393...OK
UDP: 79.184.108.58:1393...OK
aaf06c12fc1db30f1733f11613e14b602146e99e 81.198.65.192:6600
node already exists.
aaf3fd3f2c0768145b14835fd5e5c769f5d7ba40 2.25.49.5:6882
aa98bacdf55997269c0b69aef279aafa9ae44194 195.235.31.90:3693
a8f3350e36ffa94d060a170d9c56eaef1a39fbcc 201.170.247.128:6891
a8711bc24a7d81088d6a019022133a2650223913 119.231.123.251:7782
af8c953678b96e2cde2354bd4e1544906971c368 81.130.105.174:5539
node with this id already exists with other address 81.130.24.27:5539.
afbd1037b4321efa4a93bf222e5cadb0dbccfc75 84.156.119.58:4674
afeacaa2005f42daf05c59de914a090a85e2316e 180.197.54.75:9226
acc4fe3556402d5d45225015ed2f65273ad228ea 86.157.28.254:2553
ac9353a062f7eda103c0d75b15ea486d3e639341 172.245.217.122:3091
node with this address already exists with other id c88937ba06ed
89bb67dab34171f02c775a79f75b.
Node ID: a878ee02272b2a5c4d6277c4d985d9b244774356.

UDP: 81.64.81.176:3879...TIMEOUT

When building an executable using the builder, a number of options have to be
specified, which included the botnet id (bid) and the subbotnet name (subbotnet).
The botnet id was limited to a number of 16bit, which was hardcoded into the output
binary, where each defined number corresponded to a specific backend of ZeuS.
The subbotnet names were typically used for identifying specific campaigns for
spreading. Some where dated, and others were named descriptively after the spam
service used or the spam theme such as irs. Below you can find an overview of the
different backend names and the botnet ids associated with them.
botnet name botnet id botnet name botnet id botnet name botnet id botnet name botnet id
aqua 1111 it 9999 main6 3006 zpz 102
aqua2 2222 main 1212 vp 2000 play 101
azz 104 main1 3000 mr 1616 publo 1414
chrome 5555 main2 103 milan 2828 directoria 6666
fav 7777 main3 3002 spa 1717 debug 2222
grutik 1515 main4 3004 morgan 1144 debugr 65000
hard 8888 main5 3005 amr 100 solo 105
The operators of the individual botnets had access to a web based interface, which
issued an executable crypted with one of the specified available crypters, tied to
the botnet id assigned to the operator and also containing the embedded subbotnet
name specified by the operator. The crypter services that were directly available
to the operators were lapis (lps), crypt4you (c4u), hardsys (hrd) and twcr.
When operators tested crypters, the subbotnet name in some cases contained
the abbreviation of the crypter such as lps, hrd, or c4u. Below you can find a
screenshot of the webbased builder:
Address Hex dump ASCII

0012FAEC 6D 00 69 00|63 00 72 00|6F 00 73 00|6F 00 66 00| s.u.b.b.o.t.n.e.
0012FAFC 74 00 64 00|63 00 75 00|73 00 75 00|63 00 6B 00| t.n.a.m.e.t.e.s.
0012FB0C 73 00 00 00|9A 5B 5C 3C|44 FB 12 00|7C 24 52 77| t...?[\<D?R.|$Rw
The above memory dump shows how, after the static configuration in peer-to-peer
ZeuS has been decrypted, the subbotnet name shows up. The subbotnetnametest
was entered as input in the builder.

Operators view of peer-to-peer ZeuS
The operators have access to a number of resources, infected systems, and allows the operator to issue
the most basic is the ZeuS command and control commands. The panel is identical to the standard ZeuS
panel that allows access to basic information from the panel which had been used for many years.
Basic overview of infected systems, using a restricted

demo account that only has viewing rights:
The following screenshot shows the additional options in

the menu that are available as panel administrator:

The jabber support, while not configured in this instance, allows jabber notification
when reports for specified URL patterns are sent to the drop server:
In the Search options, an operator could search for components on a site for which the credentials were
data that was logged by the bots. This could provide compromised.
additional data when defrauding a specific victim,
both for complementing the regular banking frauds, In the botnet scripts option, much like the traditional
and for looking for creditcard data even including ZeuS command, scripts can be formatted that allow
the additional password, allowing the attackers to specification to which systems the commands should
purchase online services easily. Additionally, the be sent, including for example bot id, subbotnet name
information could be used to assist certain operational and country.
actions, such as hosting of additional malware
Some of the most commonly used commands used byattackers are:
user _ destroy Most of these commands are used in conjunction with

user _ execute <url> fraudulent activity, to install additional tools to make
os _ reboot fraud easier, to block a victims access to their bank,
connect to the victims desktop, get a session cookie
bot _ bc _ add vnc <ip> <port> and soft certificate files, and removing session cookies
user _ url _ block <urlpattern> so that the victim is forced to login, making ZeuS
user _ url _ unblock automatically log the credentials.
user _ ashplayer _ get The user_execute command was used specifically

user _ cookies _ get for CryptoLocker installations too, where the
user _ certs _ get user_execute command was issued only to US,
user _ cookies _ remove Canada, Great Britain, Australia and New Zealand.
user _ ashplayer _ remove Not all botnets that were spreading CryptoLocker
were so specific, but in most cases they were specific,
asCryptoLocker was only available in English.

How the operators execute fraud
As most of the targeted bank accounts will have hold, being shown the famous Please wait... loading
some forms of extra authentication when executing message. During the victim being on hold, the browser
a transaction, merely grabbing the credentials would continuously poll the backend to check if new
using ZeuS is not enough. This is where the browser questions were available to ask the victim.
manipulation functionality of ZeuS comes into play
which will modify the web responses from the bank On the fraud operator side, a new account would
ofthe victim, prior to rendering them. appear in the Token Grabber panel, which contained
various login details to start the session with the bank
The token-grabber attack in peer-to-peer ZeuS was from the fraud operator side. The operator could use
a simple one, which was more or less always similar. VPN services, socks proxies in the same country as the
The victim would see a normal, or almost normal, victim, but also a socks proxy of the victim machine to
login page of their bank. For example, in case the login use the same IP address as the victim. Another option
process of a bank consisted of two steps, it would was to use a VNC connection to the victim system to
be easier to have the initial page just with one extra use the same browser software as the victim. Seen
field for an OTP code required for the second page. below is the control panel the fraud operator used to
Directly after this step, the victim would be placed on communicate with the victim.

After a successful login, and when the account has destination account for which the operators had a
enough balance and accounts with transaction system containing mule accounts where transactions
capability, the fraud operator would then create a could be sent. Below you can find a screenshot of the
transaction. To create a transaction he needed a system used by the peer-to-peer ZeuS group.
Social engineering the victim

The next step would be to further social engineer are designed to make the victim understand why he
the victim for any additional authentication and has to enter the information. In some cases where
authorization challenges, which would for example be victims could create transactions but required a
TAN cards, index TAN, mobile TAN, Token OTP based, second person to authorize them, the victims were
EMV Challenge-Response based, or even relatively social engineered by calling the authorizer over to the
simple knowledge based systems. For this you can compromised computer to unlock the victim bank
see in the Token Grabber a number of pre-set buttons account.
which will allow the fraud operator to quickly ask for
any additional information that is required. In case of Typically, the result was that the victim received an
a challenge response system, the fraud operator will error message, which is designed to make the victim
have to enter the challenge, which typically is just a believe he should not try to connect for a little while.
number. In case the bank asks for a non-predefined In case of large frauds the attackers might even try
question, the fraud operator can choose custom more harsh measures, such as executing a distributed
dialog and ask the question from the bank directly to denial of service attack against the online banking
the victim. This shows how this attack is a true man site, or on one of the components required for login.
in the middle, still using relatively simple browser This would stall the victim more as he could not log in,
manipulation and scripts. it would typically be hard to reach the bank as many
customers would call due to the denial of service
The victim will receive the questions, and based on attack, and the bank itself would be in disorder due
the server side configured code and set parameters, to this incident, potentially allowing the fraudulent
the victim will see social engineering messages which transaction to slip through.

The corporate mule cities
While the group used a wide variety of mule accounts While these cities were not the only places where mule
over time, one interesting collection of mules were accounts were opened, they did at least account for a
corporate accounts located in two cities in China, both large amount of corporate mule accounts over a certain
adjacent to a border crossing with East-Russia, north period. The documents we obtained, showed a number
of Vladivostok. One is Raohe county and the other, of companies were opened, that operated under various
further south, is Suifenhe, both are in the Heilongjiang names, pretending to be trading or shipping companies.
province. They are marked on the map below. We will show some of the examples we encountered
that helped us understand the pattern.

The following are extracts of remittance information from corporate and fund accounts, typically located
forms that were found to be used by the peer-to-peer in the US. As mentioned previously, all are located in
ZeuS team. They were used to siphon large amounts of either Suifenhe or Raohe county.
money, up to millions of US dollars, to these accounts
With a large amount of manufacturing happening half of 2012. So it is not unlikely that peer-to-peer
in China, it is not uncommon for large transactions ZeuS associates would have made use of the positive
to occur to China. However the specific region of economic climate and business friendly environment
Heilongjiang is more known for Sino-Russian trade as to open their businesses right there.
there are no major shipping lanes from there to the
US. So it would be uncommon for US companies to This shows that all around the world Free Trade Zones
buy goods at companies in this specific region. and other economic incentive areas are some of
the key places where criminals can set up corporate
The specific area of Suifenhe started to develop accounts, as they are promoting business. And without
several major projects for economic cooperation too many problems, and with limited exposure, can
between China and Russia, which started in the first receive large sums of money.

The fraudulent transactions created using the execute, the fraud operators were given examples
Token Grabber panel, were by themselves relatively of how to set up the transactions and what methods
straightforward. But as banking systems vary and would work best.
international transactions can be complicated to
Note that while large transactions were more but was also still targeting consumer accounts and
complicated to pull off, they did yield larger profits credit card data, which seems a way to maximize
when the heists were successful. Still the peer-to-peer profits from the investments.
ZeuS group did not solely target corporate accounts

Keeping tabs on the neighbors
As previously mentioned, some of the clearest espionage attacks in peer-to-peer
ZeuS, and also prior to that in ZeuS 2.1.0.X, were targeted against Georgia, Turkey,
and Ukraine. During our research, we found a large amount of search queries which
were executed on the victim systems.
The search queries consisted of a number of keywords, which included contact

information like email addresses, names and nicknames. Both the contact
information and the generic keywords showed the type of information that was
searched for. We have partially masked the names of the persons to protect their
identity, and omitted the nicknames and personal email addresses. The total of
Georgian entries was 106 and the total of Turkish entries was 11.
Set of Georgian keywords we have found:
Georgian Foreign Intelligence Service: Georgian Ministry of Internal Affairs:

dir.int (at) fiss.gov.ge z.******dze (at) mia.gov.ge
admin (at) fiss.gov.ge d.*******vili (at) mia.gov.ge
z.******vili (at) fiss.gov.ge z.******vili (at) mia.gov.ge
g.****nia (at) fiss.gov.ge r_******vili (at) mia.gov.ge
k.*****odze (at) fiss.gov.ge n.******vili (at) mia.gov.ge
a****n (at) security.gov.gew
Set of Turkish keywords we have found:
Turkish Ministry of Foreign Affairs: Turkish KOM (Specialized police unit):

g****n (at) mfa.gov.tr k*****i (at) kom.gov.tr
Set Georgian keywords used in 2013, mostly focused on locating government classified material:

Set of Turkish keywords used in 2013, focused on government classified material and information
pertaining to the Syrian conflict and involvement of Russia with mercenaries and arms shipments:
gizlice + ns militan kampi + suriye

gizlice +zata mahsustur gizli + emniyet genel mdrlg
ok gizli + ns gizli + silahl teslim
son +derece +mahrem gizli + paral askerleri
salt +kiiye + zel emniyet genel mdrlg + suriye
hizmete zel + ns emniyet genel mdrlg + paral askerleri
gizlice + operativ memuru emniyet genel mdrlg + silahl teslim
gizlice + harekat rus paral askerleri + suriye
gizli olmayan + operativ memuru kafkas paral askerleri + suriye
gizli olmayan + ns silahl teslim + suriye
gizli olmayan + harekat militan kamp+ suriye
milli istihbarat tekilati + gizlice gizli+ milli istihbarat tekilati
genelkurmay bakanl stihbarat dairesi + gizlice gizli+ emniyet mdrl
mit + gizlice gizli + emniyet mdr
turhan + dilma gizlilik karar vardr
agatay +turkistan gizli + bakomiser
gokhan +turan ok gizli + emniyet mdrlg
aykut +unal ok gizli + emniyet mdr
gizli+ emniyet genel mudurlugu hizmete zel + emniyet genel mdrlg
gizli + silahli teslim snf emniyet mdr
gizli + parali askerleri hizmete zel + milli istihbarat tekilat
gizli + rus parali askerleri gizli + kiiye zel
emniyet genel mudurlugu + suriye istihbarata kar koyma
emniyet genel mudurlugu + parali askerleri casuslua kar koyma
emniyet genel mudurlugu + silahli teslim anket + milli istihbarat tekilat
rus parali askerleri + suriye gizli +suriye +askeri operasyon
kafkas parali askerleri + suriye milli istihbarat tekilat
silahli teslim + suriye askeri + suriye
Set of Ukrainian keywords used in 2013, mostly focused on locating government classified material:

i

I
-


Concluding remarks
After looking at the whole set of search queries, it is quite likely that Slavik, who had
set up and enjoyed full access to these specific ZeuS command and control servers,
was involved in more than just the crime ring around peer-to-peer ZeuS. We could
speculate that due to this part of his work he had obtained a level of protection, and
was able to get away with certain crimes as long as they were not committed against
Russia. This of course remains speculation, but perhaps it is one of the reasons why
he has as yet not been apprehended.
For further enquiries please contact Eward Driehuis driehuis@fox-it.com +31 6 43824529

Mapp .
: 21:03:23 03.03.2014 +04:00.
www.fox-it.com
: builder.exe <> -< 1> -< N>
-nologo .
f +31 (0) 15 284 79 90

t +31 (0) 15 284 79 99
e fox@fox-it.com
-toupdate:[file] Convert PE-file to update of bot (mark, encrypt and sign). File will be converted
Olof Palmestraat 6, Delft

Po box 638, 2600 AP
The Netherlands
FOX-IT
dht DHT operations.
Delft
-nologo .
Investigations - see threats to you, your peers and your

author named Evgeniy Slavik Bogachevwas indicted.
InTELL is Fox-ITs real-time threat intelligence product.
landscape; peer & sector threats, geographical trends,

intelligence is based on actor attribution and context,
operation targetingGameOver ZeuS was announced,
expanding intelligence propositions in the world. Our
STIX / TAXII feeds - InTELL features one of the largest

offices in four continents, InTELL is one of the fastest
the criminals online hangouts, and provides you with

technology as they unfold in real-time. InTELL scours
been apprehended. An award of 3million dollars has
been announced for information that will lead to his
in addition to action againstthe malware itself. The
Although this was over a year ago, he has as yet not
giving a unique insight into the criminal ecosystem.
STIX repositories in the world. You will know where

the threats are, whos behind it, how they do it and
more, feeding into your infrastructure in real-time.
Backgrounds on the Badguys and the Backends
technical trends and actor attribution. Visualized,

Servicing over 50 banks, with hundreds of branch
In June 2014, the news of a Law Enforcement led
structured and indexed, full of relevant context.

Global visibility - Learn about the global threat
world class intelligence.

GameOver ZueS
InTELL by Fox-IT
InTELL features:
601-001-en
-nologo .
capture.

FoxIT Whitepaper Blackhat Web

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

FoxIT Whitepaper Blackhat Web

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FoxIT Whitepaper Blackhat Web

Uploaded by

Copyright:

Available Formats

Mapp .

: 21:03:23 03.03.2014 +04:00.

Principal Security Expert

build Build bot or(and) configuration.

-bid:[number] Numeric ID of botnet, 0 - if this is update.

Throughout this paper, we refer to acronyms or names commonly used in the

2 | fox-it | The Background of GameOver ZeuS | July 2015

fox-it | The Background of GameOver ZeuS | July 2015 | 3

Chronological summary of ZeuShighlights

4 | fox-it | The Background of GameOver ZeuS | July 2015

2010 2011 2012 2013 2014

fox-it | The Background of GameOver ZeuS | July 2015 | 5

6 | fox-it | The Background of GameOver ZeuS | July 2015

Business club membership

fox-it | The Background of GameOver ZeuS | July 2015 | 7

The peer-to-peer network was presumably initially intended as a backup mechanism

8 | fox-it | The Background of GameOver ZeuS | July 2015

Fraud operator groups

fox-it | The Background of GameOver ZeuS | July 2015 | 9

Usage: zsb.exe <command> -<switch 1> -<switch N>

build Build bot or(and) configuration.

dht DHT operations.

crypt Cryptographic functions.

10 | fox-it | The Background of GameOver ZeuS | July 2015

: builder.exe <> -< 1> -< N>

build Build bot or(and) configuration.

dht DHT operations.

plugin Manage plugin

fox-it | The Background of GameOver ZeuS | July 2015 | 11

Node ID: aafd746a948c3dd249b1a6eb127399bd35f6258c.

Node ID: a878ee02272b2a5c4d6277c4d985d9b244774356.

12 | fox-it | The Background of GameOver ZeuS | July 2015

Address Hex dump ASCII

fox-it | The Background of GameOver ZeuS | July 2015 | 13

Basic overview of infected systems, using a restricted

The following screenshot shows the additional options in

14 | fox-it | The Background of GameOver ZeuS | July 2015

Some of the most commonly used commands used byattackers are:

user _ destroy Most of these commands are used in conjunction with

user _ ashplayer _ get The user_execute command was used specifically

fox-it | The Background of GameOver ZeuS | July 2015 | 15

16 | fox-it | The Background of GameOver ZeuS | July 2015

Social engineering the victim

fox-it | The Background of GameOver ZeuS | July 2015 | 17

18 | fox-it | The Background of GameOver ZeuS | July 2015

fox-it | The Background of GameOver ZeuS | July 2015 | 19

20 | fox-it | The Background of GameOver ZeuS | July 2015

The search queries consisted of a number of keywords, which included contact

Set of Georgian keywords we have found:

Georgian Foreign Intelligence Service: Georgian Ministry of Internal Affairs:

Set of Turkish keywords we have found:

Turkish Ministry of Foreign Affairs: Turkish KOM (Specialized police unit):

fox-it | The Background of GameOver ZeuS | July 2015 | 21

gizlice + ns militan kampi + suriye

22 | fox-it | The Background of GameOver ZeuS | July 2015

fox-it | The Background of GameOver ZeuS | July 2015 | 23

f +31 (0) 15 284 79 90

t +31 (0) 15 284 79 99