The crew behind the Kneber botnet that made headlines last year may have surfaced again in a malware campaign targeting employees of various governments.
The botnet, which pushes out the Zeus Trojan, was spotted around Christmas time spamming out malware through a phony holiday message from the White House. Those who received the card and either clicked on a link to an e-card or opened a malicious attachment were compromised.
That Zeus was stealing data will come as no surprise to anyone familiar with the Trojan; but the idea that a piece of malware most commonly associated with swiping banking credentials was after documents raised some eyebrows.
According to security blogger Brian Krebs, the botnet operators were able to get their hands on more than 2 gigabytes of PDFs, Microsoft Word and Excel documents from dozens of victims, including an employee at the U.S. National Science Foundation’s Office of Cyberinfrastructure and an official with the Moroccan government’s Ministry of Industry, Commerce and New Technologies.
“A targeted-attack against government employees with an add-on that specifically steals documents (Excel files, Word files and PDFs) is not typically the MO of ZeuS operators,” opined Alex Cox, principal research analyst at NetWitness. “They tend to focus on banking credentials, so that makes it unusual.”
Last February, researchers at NetWitness reported uncovering a 75,000-strong botnet built on the back of Zeus. The botnet was dubbed “Kneber” due to a username linking the infected systems, and stole not only banking information, but also credentials for social networks such as Facebook and hi5.
“Success in the botnet world is often measured by infection percentages, so as an operator…getting a large quantity of official documents makes it that much easier to craft a better attack the next time, because I have insider information, jargon and acronyms that may help me ‘legitimize’ my attack,” Cox said. “I can also sell these documents from a purely information gathering standpoint to interested parties.”
Mary Landesman, senior security researcher for Cisco Security Intelligence Operations, noted that while Zeus typically pilfers banking information, there are numerous examples of it being used to steal intellectual property as well.
“Primary targets of Zeus-enabled intellectual property theft have been members of the U.S. Government and military,” she said. “Most of this has come about as a result of spear phishing-style e-mail that purports to be from someone they know, i.e. spoofing some government official/agency.”
According to an analysis by NetWitness, the recent spam downloaded a second-stage executable called ‘pack.exe.’ The executable searched the compromised PC for xls, doc and PDF files and uploaded the information to a server based in Belarus that resolved to ‘uploadpack.org.’ The botnet detailed in February meanwhile had a second-stage executable known as ‘stat.exe’ that searched for the files and sent them to a server also based in Belarus. Both stat.exe and pack.exe were revealed to be perl scripts that had been converted to executables with the perl2exe tool.
“This, because it is such a small and fairly unknown aspect of the kneber compromise, makes us think that this is indeed the same operator, who is again after documents pertaining to U.S. Government activities,” Cox blogged. “This evidence shows the continuing convergence of cyber-crime and cyber-espionage activities, and how they occasionally mirror or play off one another.”
Zeus remains popular in the cyber-underground. In October, security researchers told eWEEK that the price tag for Zeus can be in the thousands.
“Though Zeus is well known to the security industry, new variants are constantly introduced which can, at least temporarily, defeat signature-based scanners,” Landesman said.