ZeuS Banking Trojan Botnet

ZeuS Banking Trojan Botnet


ZeuS Banking Trojan C&C Server
kopolonimu.info
62.76.188.139
Estimated Size:  500+ bots (small) 
Targeting: UA and RU

some of the banks being targeted:
privatbank.ua
dnbbank.ru

URL listing on Cyber Crime Tracker


WHOIS details on the host network
inetnum:        62.76.176.0 - 62.76.191.255
netname:       Clodo-Cloud
descr:            IT House, Ltd
person:          Maxim Dyubarev
address:        Kalyazinskaya,7, Saint-Petersburg, Russia, 194017

route:             62.76.184.0/21
descr:            IT House, Ltd
origin:            AS57010mnt-by:          ROSNIIROS-MNT


(no abuse email address) 



 
Some info from VirusTotal


I forgot to take a screenshot of the auth page. I went back and checked today and the server IP is now filtering all ports. The URL structure page.php?m=login is synonymous with ZeuS auth pages.

Nmap scan report for 62.76.188.139
Host is up. 
All 100 scanned ports on 62.76.188.139 are filtered


Each bot has its own /reports/subdirectory on the C&C. When the server was online, the bad guys forgot to deny directory listings which allowed me to browse around to the "reports" folder. This is where bots upload data such as stolen credentials, screenshots, keystroke log files, etc. 



 
Here are screenshots I found of victims logging into bank accounts:




Usually the web injects and built in credential stealing modules are all these crooks need to steal from victims bank accounts. Banks are starting to use other (multi) verification/authentication methods that the bad guys need to take some screenshots and see how to login.. see above shot of auth window. 



More victim bank accounts






Personal Email Accounts
There were also screenshots of personal email accounts on these domains:
yandex.net
filin.mail.ru


Bitcoin Miner
As if stealing money directly from victims bank accounts is not lucrative enough these assholes were mining for BitCoin on their bots as well. 

In the same directory of the panel on this server, I found a zip archive amd.zip which contained a file wuaxctl.exe.

amd.zip > wuaxctl.exe
https://www.virustotal.com/en/file/fc21aa025de72e60dcde2f013d67dd1a84c8bc5b7be8005d5616ca410fc7abd6/analysis/1372864267/



Russian Newspaper Editor Targeted
I also found some interesting screen shots - not just victims browsing to their online bank sites. This looks like a Russian newspaper or similar. This victim started up Adobe InDesign and then began editing a document..


ZeuS banking trojan screen shot taken of victim editing news print files.

 
Does anyone recognize this newspaper or speak Russian and can translate? 

It would be nice to let this organization know that they are infected with a banking trojan, and its probably not on just one machine. 

download file now

Comments

Post a Comment

Popular posts from this blog

Top 3 Custom Contact Us Form Widgets for Blogger

Image
Top 3 Custom Contact Us Form Widgets for Blogger Adding Contact Form 1. Log in to Blogger dashboard than go to "Layout" > "Add Widget". 2. Click on "More Widget" below "Basic" Tab on left Side. 3. Add "Contact Form" Widget Hiding Contact Form from Slidebar 1. Go to "Theme" click on "Edit HTML". 2. Click Anywhere & Press "CTRL + F" from "Keyboard" and a Search Box Will be Opened. 3. Paste the Below Code to Find it 4. Paste the Below Code Just Above the Tag (You Search in Last Step) #ContactForm1{display: none !important;} 5. Then Click on "Save Template" Adding Custom Contact Form 1. Go to "Pages" create a new page by click "New Page" 2. Give it any Title you like i.e "Contact Us" or "Contact" etc 3. Click on the "Options" from Right Sidebar & click on "Dont Allow" and "Done" 4. Now, Below there are 3 Custom ...
Read more

WWE 2K16

Image
WWE 2K16 WWE 2K16 Publisher: 2K Developer: YUKE�S Co., Ltd. Minimum System Requirements OS: Windows Vista/7 x64 Processor: Intel Core 2 Duo @ 2.66 Ghz / AMD Athlon 64 X2 5400+ Memory: 4 Gb Hard Drive: 22 Gb free Video Memory: 1 Gb Video Card: nVidia GeForce GTS 450 / AMD Radeon HD 5770 Sound Card: DirectX Compatible Network: Broadband Internet Connection DirectX: 11 Keyboard Mouse Recommended System Requirements OS: Windows 7/8 x64 Processor: Intel Core i5 @ 3.3 GHz / AMD Phenom II X4 @ 3.8 GHz Memory: 8 Gb Hard Drive: 22 Gb free Video Memory: 1 Gb Video Card: nVidia GeForce GTX 570 / AMD Radeon HD 6970 Sound Card: DirectX Compatible Network: Broadband Internet Connection DirectX: 11 Keyboard Mouse download  file  now
Read more