Zeus Malware Analysis- Sophos UTM, Security Onion

I’ve posted about dynamic and automated analysis of the Zeus malware, but what about identifying Zeus from firewall & IDS logs?

After executing Zeus, my Sophos UTM generated a few alerts. This is something that would absolutely stick out to me during daily log analysis.

Advanced Threat Protection 
Botnet/command-and•control traffic detected 
Showing events since:June 25, 2020 20:36 
o 
Infected Hosts

Drilling into the alert tells us threat “C2/Zaccess-A” attempted to reach out to a German server (.de) 36 times. 

Advanced Threat Protection 
Total Events 36 
User/Host 
Threat Name 
C2/ZAccess-A 
o 
Origin 
Destination 
srv 1 1028dus4_festwebserver de 
Showing events since June 25, 
Events 
2020 20 37

It looks like my Sophos FW (IPS) blocked the outbound connections from Zeus. This explains why the flashplayerinstall.exe was not successfully downloaded. I initially thought it was an OS compatibility issue, but appears the FW blocked the connection.

IPS: Top Blocked Attacks 
Total attacks blocked: 27 
Rule ID Rule Description 
23492 MALWARE-CNC Win_Trojen_ZeroAccess outbound connection 
IPS: Top Attackers 
Total attacks blocked: 27 
Source IP 
Rule g 
Malware 
27 
o 
100.00 
o 
100.00

The next thing I want to take a look at is if the malware fired any snort alerts. We’ll login to squert (Security Onion) to see our alerts:

Security Onion 
usemame 
Password 
Login

Then we’ll filter by the source ip of the infected host.

sip 17216.0.101 
ED BY SENSOR: NO 
PRIORITY: 
100.0%

This outputs 3 unique alerts, all referencing the DNS requests from the Zeus malware.

ET TROJAN ZeroAccess udp traffic detected 
ET DNS Non-DNS or Non-compliant DNS traffic on DNS port Opcode 8 through 15 set 
ET DNS Non-DNS or Non-compliant DNS traffic on DNS port Reserved Bit Set

If we expand the first alert to fire (bottom), we see a DNS attempt to a German IP address (.de).

QUEUE 
ACTIVITY 
2020- 
06-27 
TIMESTAMP 
2020-06-27 
AGE 
172.16.0.10 
EVENT 10 
3.360869 
cm NTRY 
RFC1918 (.10) 
172.16.0.10 
DESTINATION 
85.114.128.127 
DESTINATION 
85.114.128.127 
AGE 
PORT 
PORT 
59215 
cm NTRY 
GERMANY (.de) 
SIGNATURE 
ET DNS Non-DNS or 
Non-compliant DNS 
traffic on DNS port 
Reserved Bit Set

The payload isn’t very descriptive and not much can be identified from the data. In order to detect this traffic it’s absolutely necessary to baseline the alerts on your network. This could easily get lost in the sea of alerts.

23140 
24397 
DATA 
82 SD De 
E7 18 72 
32

The second alert displays the same info as the first. The only difference is instead of “DNS traffic on DNS port Reserved Bit Set,” the alert reads “DNS port Opcode 8 through 15 set.”

QUEUE 
ACTIVITY 
2020- 
06-27 
TIMESTAMP 
2020-06-27 
AGE 
172.16.0.10 
EVENT 10 
cm NTRY 
RFC1918 (.10) 
172.16.0.10 
DESTINATION 
85.114.128.127 
DESTINATION 
85.114.128.127 
AGE 
PORT 
PORT 
59215 
cm NTRY 
GERMANY (.de) 
SIGNATURE 
ET DNS Non-DNS or 
Non-compliant DNS 
traffic on DNS port 
Opcode 8 through 15

This brings us to the remaining 27 alerts. Marked as “ET TROJAN ZeroAccess udp traffic detected,” it appears this alert triggers after every DNS request from Zeus.  From my experience as an analyst, I’ve been successful with prioritizing ET Trojan alerts during threat hunting and alerting. We create an report in our SIEM to identify “ET Trojan” alerts.

ET TROJAN ZeroAccess udp traffic 
2015474 
alert udp $HOME_NET any $EXTERNAL_NET 53 TROJAN zeroAccess udp traffic detected"; 981 
dsize:20; classtype:trojan-activity; sid:2015474; rev:2; metadata:created_at 2012_07_13, updated_at 2012_07_13;) 
2.634% 
"; offset:6; depth:2; 
downloaded. rules: 16103 
CATEGORIZE O EVENT(s) 
CREATE FILTER: 
src dst both
QUEUE 
ACTIVITY 
2020- 
06-27 
TIMESTAMP 
2020-06-27 
2020-06-27 
2020-06-27 
AGE 
172.16.0.10 
EVENT 10 
3.360879 
3.360878 
3.360877 
cm NTRY 
RFC1918 (.10) 
172.16.0.10 
172.16.0.10 
172.16.0.10 
DESTINATION 
85.114.128.127 
DESTINATION 
85.114.128.127 
85.114.128.127 
85.114.128.127 
AGE 
PORT 
PORT 
55646 
55645 
55644 
cm NTRY 
GERMANY (.de) 
SIGNATURE 
ET TROJAN ZeroAccess 
udp traffic detected 
ET TROJAN ZeroAccess 
udp traffic detected 
ET TROJAN ZeroAccess 
udp traffic detected

Unfortunately, the payload data is exactly the same and provides no additional insight.

It looks like Sophos was the last line of protection in preventing the download of Zeus’ payload “flashplayerinstall.exe.” I’ll have to make an exception when executing malware in the future, but it’s nice to see defense in depth in action.

QUEUE 
SIGNATURE 
ET INFO Revoked Adobe code 
Signing Certificate Seen 
2015743 
% TOTAL 
2.732%
QUEUE 
ACTIVITY 
TIMESTAMP 
AGE 
8.8.8.8 
EVENT 10 
3.360880 
3.360840 
3.360841 
cm NTRY 
UNITED STATES (.us) 
PORT 
8.8.8.8 
8.8.8.8 
8.8.8.8 
DESTINATION 
172.16.0.10 
DESTINATION 
172.16.0.10 
172.16.0.10 
172.16.0.10 
AGE 
2020- 
06-27 
cm NTRY 
RFC1918 (.10) 
2020-06-27 
2020-06-27 18. 
2020-06-27 18. 
PORT 
49679 
49709 
49709 
SIGNATURE 
ET INFO Revoked 
Adobe Code Signing 
Certificate Seen 
ET INFO Revoked 
Adobe Code Signing 
Certificate Seen 
ET INFO Revoked 
Adobe Code Signing 
Certificate Seen
G .1s.w-.x43......h 
. :eses.e 
..e.l.e...u.. 
• •"l.>'..x..l...". 
http://ocsp . Verisign 
.2.ehttp://crl.verisign.com,'ThauteTimestampimgCA.crle...1_1.%. .e.. .*.... ...e.. 
. TSA2e48 1-sye...s.H............Jk..x.o.1.y.*.......L...xn ) 
.come...u....... 
R..G'/.s.... 
..e..l.e...u....usl.e...u... 
. Verisign, 
Inc.l.e...u. . Verisign Trust Network1;ø9..lJ.. 
.2Terms of use 
at https://wwu.verisign.com/rpa (c)lel.e, . .u.. .%verisign class 3 cote signing 2818 c.c.. .1e121seeeaøez..12121423 
ssssze. .1.e...lJ....1JS1.e.. .u. .cslifornial.e.. .u.. ..Ssn Josel#e! . .u. .Adobe Systems Incorporatedl.e...u. 
or—aticn Systemsl»ec. .u... SDigitsI 
ratede. .e. ..*.H 
ele- 
10 class - 
microsoft Softnare Validation v21*e! . .u.... Adobe Systems Incorvc 
....[.tc...TuE-.'A1 
3.1. /http:,%'csc3-2e1e-cr1.Verisign.com/cscs-zele.crleo..u. 
.{e. .we. ..u....a.a. ..u. 
.eeceS. .+.....e...http://ccsp.verisign.ccne; . 
..a@..u...se7e 
https 
e../http://csc3-2

If we take a look at sguil alerts in Security Onion we see that for some reason, squert wasn’t displaying all the alerts associated with the IP

Real Ti me Events Escalated 
CNT 
13 
13 
Sensor 
seconon-... 
seconlon-... 
seconon-... 
vents) 
ID 
3.361076 
3.361077 
3.361090 
Date/Time 
2020-06-28 
2020-06-28 
2020-06-28 
src IP 
8.8.8.8 
8.8.8.8 
8.8.8.8 
spon 
172.16.0.10 
172.16.0.10 
172.16.0.10 
49971 
49971 
49971 
6 
6 
6 
Event Message 
ET POLICY PE EXE or DLL Windows file download HTTP 
ET INFO EXE - served Attached HTTP 
ET INFO Packed Executable Download

If we right click the Alert ID, we can select a number of way to carve up the traffic. I typically select transcript, but in this case, we’ll look at networkminer

CNT 
13 
13 
3 
1 
Sensor 
seconlon-... 
seconlon-.. 
secomon-... 
seconlon-.. 
seconlon-... 
seconlon-.. 
ID 
3.361076 
Transcript 
Date/Time 
2020-06-28 
Transcript (force new) 
Wres hark 
Wires hark (force new) 
Network Ml ner 
NetuvorkMlner (force new) 
Bro (force new) 
src IP 
8.8-8.8 
8.8.8.8 
8.8.8.8 
82.103.90.50 
82.103.90.50 
37.49.224.183 
60.191-125.35 
95.216.205.220 
49.233.192.233

Full packet capture transcript. We can see the request to download the payload via the HTTP request (blue) and a red 200 response, signifying the connection was successful.

seconion-enpos8-1_361076 
File 
Sensor Name: seconion-enpOs8-1 
Timestamp: 2020-06-28 
Connection ID: 
src IP: 
Dst IP: 
Src Port: 
Dst Port: 
OS Fingerprint: 
OS Fingerprint: 
OS Fingerprint: 
SRC: HEAD 
.seconion-enpOs8-1 361076 
172.16.0.10 
8.8.8.8 
49971 
172.16.0.10:49971 - Windows XP/2000 (RFC1323+, w+, tstamp-) [GENERIC] 
Signature: 
-> 8.8.8.8:80 (distance 1, link: ethernetJmodem) 
ledgedl/release2Jc hromelczZOy-oEjWdP Ij hrome_i nstal ler.ex 
ms _redi 7J&mi 172.10.131.6&m 15933052 
HTTP/I.I 
SRC: 
Connection: Keep-Alive 
SRC: 
Accept: 
SRC: 
Accept-Encodlng: identity 
SRC: 
user-Agent: Microsoft BITS/7.8 
SRC: X-OId-UlD: age—I; cnt=l 
SRC: X-Last-HR: Oxo 
SRC: x-Last-HTTP-status-code: O 
SRC: 
X-Rety-Count: O 
SRC: x-HTTP-Attempts: 1 
SRC: 
Host: r6—sn-a5mekned.gvt1.com 
SRC: 
SRC: 
DST: HTTP/I.1 200 OK 
DST: 
Accept-Ranges: bytes 
DST. 
Content-Disposition: attachment 
Debug Messages 
port 49971 and proto 6) or (vlan and host 888.8 and host 17216.0.10 and port 80 and port 49971 and 
proto 6) 
Receiving raw file from sensor. 
Finished.

We can also select Network Miner, which is able to carve out the file download attempted to my machine

Hosts (2) Files (1) Images I Messages I Credentials I Sessions (I) I DNS I Par 
Filter keyword: 
Frame nr. 
Filename 
Extension 
83.0.4103.116 ch.exe exe 
Size Source host 
61 010688 a 8.8.8.8 [r6msn-e 
O Recent 
Home 
Desktop 
< release2 chrome czZOy-oEjWdP1jDh 
83.0.4103.116 ch.

Here’s how we’d export the file in Wireshark:

Edit View 
Open 
Open Recent 
merge... 
Go 
Capture 
Import from Hex Dump... 
Close 
Save 
Save As... 
File set 
Export Specified Packets... 
Export Packet Dissections 
Export Packet gytes.. 
Export PDUs to File.. 
Export SSL Session Keys... 
Export Objects 
Analyze Statistics 
ctrl+0 
ctrl+W 
Shift + S 
Ctrl+Shift+X 
ctrl+P 
ctrl+Q 
Telephony Wireless 
nation 
16.e.1D 
16.e.1D 
16.e.1D 
16.e.1D 
16.c.13 
1494 bytes capture 
. 172.16.e.1D 
st Port: 49971, SE 
DICOM... 
Print... 
Quit 
8828 
27 
6b 
46 
59 
33 
62 
la 
03 
28 
46 66 12 08 
67 49 6d dl 65

Wireshark identifies the files and will allow us to save the file for further analysis.

Wireshark • Export • HTTP object list 
Packet 
62712 
Hostname 
Content Type 
Size 
r6msn-a5mekned.gvt1.com application/octet-stream 61 MB 
Filename 
83.0.4103.116 chrome installer.exe?cms r
Help

I could continue to go down the rabbit hole with the chrome_installer.exe file, but I think it’s a good point to cut off our analysis. In a real world example, I’d take the IOCs derived from this analysis and search for related incidents in a SIEM. Using network, OS and security control logs, our goal is to identify and scope a compromise. Based on this data the process can become cyclical. Incident Response drives analysis of related events via a SIM. If additional machines are discovered to be compromised, IR analysis begins again. IR and SOC analysis should always compliment one another. IOCs must be effectively communicated between both parties to uncover the full scale of a compromise.   

Leave a Reply

Your email address will not be published. Required fields are marked *