Wednesday, July 10, 2013

ZeuS Banking Trojan Botnet

ZeuS Banking Trojan C&C Server
Estimated Size:  500+ bots (small) 
Targeting: UA and RU

some of the banks being targeted:

URL listing on Cyber Crime Tracker

WHOIS details on the host network
inetnum: -
netname:       Clodo-Cloud
descr:            IT House, Ltd
person:          Maxim Dyubarev
address:        Kalyazinskaya,7, Saint-Petersburg, Russia, 194017

descr:            IT House, Ltd
origin:            AS57010 mnt-by:          ROSNIIROS-MNT

(no abuse email address) 

Some info from VirusTotal

I forgot to take a screenshot of the auth page. I went back and checked today and the server IP is now filtering all ports. The URL structure page.php?m=login is synonymous with ZeuS auth pages.

Nmap scan report for
Host is up. 
All 100 scanned ports on are filtered

Each bot has its own /reports/subdirectory on the C&C. When the server was online, the bad guys forgot to deny directory listings which allowed me to browse around to the "reports" folder. This is where bots upload data such as stolen credentials, screenshots, keystroke log files, etc. 

Here are screenshots I found of victims logging into bank accounts:

Usually the web injects and built in credential stealing modules are all these crooks need to steal from victims bank accounts. Banks are starting to use other (multi) verification/authentication methods that the bad guys need to take some screenshots and see how to login.. see above shot of auth window. 

More victim bank accounts

Personal Email Accounts
There were also screenshots of personal email accounts on these domains:

Bitcoin Miner
As if stealing money directly from victims bank accounts is not lucrative enough these assholes were mining for BitCoin on their bots as well. 

In the same directory of the panel on this server, I found a zip archive which contained a file wuaxctl.exe. > wuaxctl.exe

Russian Newspaper Editor Targeted

I also found some interesting screen shots - not just victims browsing to their online bank sites. This looks like a Russian newspaper or similar. This victim started up Adobe InDesign and then began editing a document..

ZeuS banking trojan screen shot taken of victim editing news print files.


Does anyone recognize this newspaper or speak Russian and can translate? 

It would be nice to let this organization know that they are infected with a banking trojan, and its probably not on just one machine. 

No comments:

Post a Comment