In this blog post, I will analyze a PCAP file that was captured on a machine infected with the Zeus malware. The analysis will be run with Wireshark. The packet capture comes from the Malware-Of-The-Day archive on Active Countermeasures.
Zeus is a Trojan-Banker, which is a type of malware designed to steal user account data relating to online banking systems. Terdot, a new evolution of Zeus, can also eavesdrop on and modify traffic on most social media and email platforms.
zeus_1hr.pcap from here to our Kali Linux 2020.3 instance. We will use Wireshark 3.2.5 for the analysis.
HTTP Requests Analysis
We launch Wireshark and open
zeus_1hr.pcap. Next, we list HTTP requests by HTTP host. What to select on the Wireshark GUI is listed under each screenshot.
The first thing that stands out is that more than 95% of all HTTP requests are made to mahamaya1ifesciences.com. All 117 of them request the same JPG file. Let’s analyze each single HTTP host:
- ocsp.digicert.com: This seems legit. OCSP is a protocol that checks whether an SSL certificate has been revoked.
- tile-service.weather.microsoft.com: This seems legit. This is used to download updates to the Weather app Live Tile.
- 18.104.22.168:1900: This seems legit. This is the IPv4 site-local address for the network protocol Simple Service Discovery Protocol.
- mahamaya1ifesciences.com: This is suspicious because it modifies the legit domain mahamayalifesciences.com by replacing the “l” with a “1”. A quick search on the Internet shows that this is a known Zeus C2 domain.
TCP Stream Analysis
The next step is to zoom in onto the conversation between the infected machine and the C2 server. First, we need to find out the IP addresses of the machines involved. The target machine’s IPv4 is 192.168.99.53, whereas the C2 server’s IPv4 is 22.214.171.124 as described in the lab setup3. By looking at all the conversations, we notice that 126.96.36.199 and 192.168.99.53 exchanged more than 25,000 packets (28 MB). This makes them the conversation pair with more traffic.
By updating the filter, we now only see the conversation between 188.8.131.52 and 192.168.99.53. Next, we follow the relative TCP stream and read the server response to the HTTP requests from the infected machine.
By following the TCP stream, we see that the C2 server sends a PowerShell command to the infected machine. This is made clear by the use of
IEX. This is the alias for
Invoke-Expression, which is a PowerShell cmdlet4. In this instance,
IEX runs a command that decompresses and reads a gzip stream. This is done using System.IO modules.
All in all, we analyzed a PCAP trace with Wireshark and found out with a few clicks that the Zeus malware delivers its payload by a PowerShell one-liner5.
I hope you liked this post. If you have any questions, feel free to leave a comment in the comment section. Never stop learning!
- The lab set up tells us that the connection type is reverse HTTP.
- Command and Control (or C2) is the communication channel between the infected machine and “home base”, which is very often an external server on the Internet.
- If the domain mahamaya1ifesciences.com were still existent, we could find its related IP address with nslookup.
- A cmdlet is a lightweight command that is used in the PowerShell environment.
- A PowerShell one-liner is one continuous pipeline.