Yesterday our colleagues from Sophos reported a new piece of Trojan malware titled Troj/ZBot-EUM. The attack delivers a ZIP file which contains an executable.

Our investigation shows that the Trojan we received (the title Trojan.Malaria.13001 uses our own naming convention) is a variation of the one detected by Sophos (first seen on 26th of April 2013) and we are hopeful that the evidence we have collected will help other security researchers, AV and Anti-Malware companies.

This is how it appears in one of the emails that we received yesterday:




It attempts to trick the user into saving and unzipping the attachment, and then clicking on the executable which appears to be a normal PDF file (if the user’s configuration is setup not to display file extensions). Below is what the unzipped file looks like in Windows Explorer if Folder Settings are configured to Hide extensions of known file types. It looks like a normal PDF, doesn’t it?




Below is the actual executable after unzipping the attachment if the setting “Hide extensions of known file types” is turned off:




These are the details of LABEL-ID-56753547-GFK723.exe executable:

Filename : LABEL-ID-56753547-GFK723.exe
MD5 : 017ea653e69c161af3751671d0461159
SHA1 : 528596225dee32bdc347b8484c5745cf87ae8ece
CRC32 : 58c1fd47
Modified Time : 26/04/2013 10:34:32 AM
Created Time : 27/04/2013 1:49:53 PM
File Size : 402,944

Assuming the user falls for the ruse and clicks on the the file LABEL-ID-56753547-GFK723.exe to open it, the attack triggers several interesting events.

First, LABEL-ID-56753547-GFK723.exe launches a second instance of the same process as LABEL-ID-56753547-GFK723.exe using the same executable image file.

The secondary instance of LABEL-ID-56753547-GFK723.exe then creates a folder named “Xyzo” under \Documents and Settings\[username]\Application Data\.  It also copies itself to\Documents and Settings\[username]\Application Data\Xyzo under a different name: “usarn.exe”. Then the newly dropped file is modified slightly, and as you can see below the hash codes of LABEL-ID-56753547-GFK723.exe and usarn.exe are different.




The secondary running instance of LABEL-ID-56753547-GFK723.exe process then launches an instance of usarn.exe.

Below are the details of usarn.exe located under folder \Documents and Settings\[username]\Application Data\Xyzo:

Filename : usarn.exe
MD5 : c5544d8adac2723ecfa4337f637197e9
SHA1 : 5f91c221009b2e553d5c383693d70f59d8ed35db
CRC32 : 1deee828
Modified Time : 5/12/2012 2:36:54 AM
Created Time : 27/04/2013 2:13:09 PM
File Size : 402,944

Both the hash and the name of the file image that is dropped by LABEL-ID-56753547-GFK723.exe are different from those reported by Sophos (in which case the secondary dropped file was named goyc.exe). The names of the folders differ as well. In the Sophos report, the full name of the file that is dropped is “c:\Documents and Settings\test user\Application Data\Gyowta\goyc.exe”. In our case it is “\Documents and Settings\[username]\Application Data\Xyzo\usarn.exe”. That probably indicates that this Trojan is customizable and may drop different files under a sub-folder of \Documents and Settings\[username]\Application Data\

Further, LABEL-ID-56753547-GFK723.exe also creates a registry key under HKCU\Software\Microsoft with name “Hion”. A quick check in the urban dictionary shows that the first meaning of Hion is “to make confusing through cryptic wording”. The following screenshot shows the content of the Hion Key created by LABEL-ID-56753547-GFK723.exe.




LABEL-ID-56753547-GFK723.exe also launches an instance of the command prompt C:\WINDOWS\system32\cmd.exe. After launching the command prompt, LABEL-ID-56753547-GFK723.exe injects code into cmd.exe.

Then both instances of  LABEL-ID-56753547-GFK723.exe terminate and usarn.exe deletes the file image of LABEL-ID-56753547-GFK723.exe from the disk.

The process usarn.exe then creates a file named “eryra.sau.dat” and drops it under  “\Documents and Settings\[UserName]\Local Settings\Application Data\”. This is very likely a data file, and its name differs from that in the Sophos report.

Once running, usarn.exe enumerates all processes running within the same user session and injects code. Infected processes include explorer.exe and rundll32.exe, among others. We find it interesting that the remote code is not injected into any of the running services.

The injected code running in explorer.exe, rundll32.exe and other running processes proceeds to update some of the registry values located under the HKCU\Software\Microsoft\Hion registry location.

The process usarn.exe also registers itself as a “run at startup” application as shown below:




These are some of the events captured. We will continue investigating this Trojan and hope to provide more details very soon.

UPDATE: Our colleague, security researcher Mila Parkour pointed out that this recent Malware is a Zeus variant also known and as Citadel.