Unraveling ZeuS.Maple’s Stealth Loader
Researched
and co-authored by Denis Laskov.
IBM
X-Force research routinely analyzes malicious activity to unravel the tricks
used by malware to infiltrate machines and carry out its covert activity. In a
recent analysis, X-Force researchers noticed a rather interesting loader that
was fetching the ZeuS.Maple banking Trojan.
Upon
examination of the mystery loader, researchers found it was using an interesting
twist on what’s known as the self-debugging technique, leveraging Microsoft’s
PAGE_GUARD page protection modifier. This technique was, until now,
unimplemented in the works of other malware. On top of its use by ZeuS.Maple’s
operators, the same loader was identified in the infection process of the
Gamarue malware.
About ZeuS.Maple
ZeuS.Maple
is a ZeusVM iteration that was named after its operators’ top target geography:
Canada. The Trojan emerged in mid-2014 as what appears to be the property of a
closed cybercrime faction. It uses ZeusVM’s code plus a few clever tweaks
regularly made by its developer. ZeusVM in itself is a branch of the original
Zeus v2.0.8.9’s leaked source code.
As a
ZeusVM offspring, this Trojan relies on the same core resilience mechanism to
make things more complicated for anyone who may attempt to tamper with it.
Rather than compiling the entire source code into native machine code,
developers made part of it compile into intermediate bytecode that they
themselves created. That makes the malware contain a special runtime
environment within — hence the name VM, which knows how to execute the
intermediate bytecode.
The end
result of the VM addition to Zeus does not make it harder to detect, and the
runtime engine that is compiled is not polymorphic. This feature only makes the
malware more resilient to reverse engineering.
In terms
of its fraud capabilities, ZeuS.Maple is a banking Trojan that features
effective data stealing abilities, webinjection mechanisms and the tools to
automate illicit transfers out of online bank accounts through a mix of social
engineering and remote access to infected machines.
Comments
Post a Comment