Malvertising has been an active and growing attack vector for delivering malicious payloads to unsuspecting users. ThreatLabZ recently uncovered a malvertising campaign targeting European transit users and the end payload appears to be downloading the KINS Zeus variant.
The KINS (Kasper Internet Non-Security) variant of Zeus is a banking Trojan that has been prevalent since 2011. KINS is a crimekit that was developed based off the leaked ZeuS source code to replace the aged Citadel Trojan which was used to harvest credentials from victim PCs.
ThreatLabZ has seen many instances of this threat being downloaded in the wild with very low AV detection. The malicious dropper payload is downloaded from URLs that matches the following pattern:
[domain]:[nonstandard port]/[var1].php?[var2]=n&[var3]=n&[var4]=n&[var5]=n&[var6]=n&[var7]=n&[var8]=n n = random [1-4]digit number
This variant of the KINS crimekit is spreading through malvertising attempts targeting European users. All the download attempts seen above have two things in common:
Victims were visiting a site related to European transit
Victims were redirected to the final destination through an advertising network
Sample infection cycle URLs
The malware masquerades as a PDF document to lure an unsuspecting user into opening the file. Upon execution, it creates a copy of itself in the %Application Data% directory, deletes the original copy of itself and injects into the system explorer.exe process to perform variety of actions. The dropped file on the infected system can be found at one of the following two locations:
%Application Data%\svchoste.exe [Windows XP]
%Application Data%\Roaming\[random 4-5 character string]\[random 4-5 character string].exe [Windows 7]
The bot further makes multiple system registry modifications to evade detection:
Microsoft security center - disable update notifications, disable antimalware scan:
The injected code in the system explorer process is responsible for performing Command & Control (C&C) communication. It also opens up a port (TCP 36139) on the victim machine listening for incoming connections.
The screenshot below shows the decrypted C&C location as well as a remote configuration file location for the bot:
Decrypted C&C locations
Below is the C&C call back activity for the month of January and February, 2015 and the Geo-location of the C&C servers:
C&C server location
Malvertising remains an effective exploit vector for threat actors to compromise victim systems. The variation in payloads distributed through this tactic range from click-fraud botnet activity to highly effective crimeware, giving complete control of the infected systems to the remote attackers.