Zeus, known as Zbot, is a notorious Trojan horse malware package that predominantly targets Microsoft Windows. The primary aim of Zeus has been to steal sensitive data, especially banking information via methods such as form grabbing and keystroke logging. As we plunge into a more profound exploration of the Zeus Trojan, we will uncover its sophisticated attributes, delivery mechanisms, and the threat actors linked with it, all within the context of the MITRE ATT&CK framework.
Origins and Attribution
Zeus botnet has been primarily attributed to a Russian hacker, Evgeniy Mikhailovich Bogachev, alternatively known as “Slavik.” Nonetheless, the Zeus Trojan source code was commoditized in the black market and has been exploited and modified by numerous threat actors globally.
Zeus Malware Analysis
Delivery and File Type: Typically, Zeus was propagated through phishing attacks or drive-by downloads, often using an embedded .exe file or link to a compromised website. These files, frequently .exe or .dll, would then be downloaded to the victim’s computer.
Loaders and Installation: After execution, the Zeus Trojan dropped a .dll file payload into the system’s User Profile Directory, loading it into memory using the LoadLibrary API call – a technique termed “DLL Side-Loading” to evade detection. Zeus ensured persistence by creating an auto-run registry key, thus activating the Trojan every time the system started up.
Stealth Mechanisms: To hide its presence on an infected system, Zeus employed rootkit functionality. It could obscure files, registry keys, and other objects, thereby evading detection from antivirus solutions.
Data Collection: As an information stealer, Zeus primarily leveraged keylogging to capture the user’s keystrokes and form grabbing to snatch information directly from web forms. Additionally, it could take screenshots or record the user’s activities, further augmenting its data theft capabilities.
Pattern and Heuristics: A characteristic pattern of Zeus was its real-time web page manipulation capability or “web injects”. By modifying the look and feel of banking websites, users were often tricked into sharing sensitive information.
C2 Management and Communication
For its C2 management, Zeus leveraged a peer-to-peer model, thus ensuring a highly resilient botnet structure. Infected machines could be controlled via various servers, thereby complicating disruption attempts. The primary communication protocol was HTTP, but later variants also used peer-to-peer communication for added resilience. Stolen data sent to the C2 servers was often encrypted to avoid detection.
MITRE ATT&CK Tactics
The Zeus botnet covers several techniques identified in the MITRE ATT&CK framework:
- Spearphishing Link (T1192): Zeus often propagated via phishing emails containing malicious links or attachments.
- Drive-by Compromise (T1189): Drive-by downloads from compromised websites were another common propagation method.
- Data Obfuscation (T1001): Zeus often used encryption or encoding to obfuscate data it sent back to the C2 servers.
- Command and Control (T1071): The Zeus botnet utilized HTTP for its C2 communication.
- Data Exfiltration (T1041): Zeus exfiltrated data back to the C2 servers.
Evolution and Variants
Post the leak of Zeus’s source code in 2011, numerous new strains have emerged, including the Gameover Zeus variant that used a decentralized peer-to-peer network for its command and control servers, making it more resistant to takedown efforts. With its source code widely accessible, Zeus continues to evolve with new variants appearing regularly, each adding modifications to evade detection, enhance capabilities, or target new victims.