Zeus malware. Packet capture analysis with Wireshark

I analyze a PCAP file that was captured on a machine infected with the Zeus malware.

In this blog post, I will analyze a PCAP file that was captured on a machine infected with the Zeus malware. The analysis will be run with Wireshark. The packet capture comes from the Malware-Of-The-Day archive on Active Countermeasures.

Zeus malware

Zeus is a Trojan-Banker, which is a type of malware designed to steal user account data relating to online banking systems. Terdot, a new evolution of Zeus, can also eavesdrop on and modify traffic on most social media and email platforms.

This is the setup of the lab for the Zeus malware on Active Countermeasures.

Introduction

We will first get an overview of the malicious activity on this system by listing HTTP requests1. Then, we will analyze the conversations between the infected system and the C22 server.

We download zeus_1hr.pcap from here to our Kali Linux 2020.3 instance. We will use Wireshark 3.2.5 for the analysis.

HTTP Requests Analysis

We launch Wireshark and open zeus_1hr.pcap. Next, we list HTTP requests by HTTP host. What to select on the Wireshark GUI is listed under each screenshot.

Statistics > HTTP > Requests
117 HTTP requests (more than 95% of all HTTP requests) with the same string are made to a suspicious domain.

The first thing that stands out is that more than 95% of all HTTP requests are made to mahamaya1ifesciences.com. All 117 of them request the same JPG file. Let’s analyze each single HTTP host:

  • ocsp.digicert.com: This seems legit. OCSP is a protocol that checks whether an SSL certificate has been revoked.
  • tile-service.weather.microsoft.com: This seems legit. This is used to download updates to the Weather app Live Tile.
  • 239.255.255.250:1900: This seems legit. This is the IPv4 site-local address for the network protocol Simple Service Discovery Protocol.
  • mahamaya1ifesciences.com: This is suspicious because it modifies the legit domain mahamayalifesciences.com by replacing the “l” with a “1”. A quick search on the Internet shows that this is a known Zeus C2 domain.

TCP Stream Analysis

The next step is to zoom in onto the conversation between the infected machine and the C2 server. First, we need to find out the IP addresses of the machines involved. The target machine’s IPv4 is 192.168.99.53, whereas the C2 server’s IPv4 is 67.207.93.135 as described in the lab setup3. By looking at all the conversations, we notice that 67.207.93.135 and 192.168.99.53 exchanged more than 25,000 packets (28 MB). This makes them the conversation pair with more traffic.

Statistics > Conversation > IPv4
67.207.93.135 and 192.168.99.53 are the conversation pair with more traffic.
Right-click on conversation > Apply as Filter > Selected > A<->B
This updates the filter for the Wireshark instance so that we can zoom in onto the conversation between 67.207.93.135 and 192.168.99.53.

By updating the filter, we now only see the conversation between 67.207.93.135 and 192.168.99.53. Next, we follow the relative TCP stream and read the server response to the HTTP requests from the infected machine.

Right click on No. 1 > Follow > TCP Stream
This is the payload that the C2 server (67.207.93.135) sends to the infected machine (192.168.99.53).

By following the TCP stream, we see that the C2 server sends a PowerShell command to the infected machine. This is made clear by the use of IEX. This is the alias for Invoke-Expression, which is a PowerShell cmdlet4. In this instance, IEX runs a command that decompresses and reads a gzip stream. This is done using System.IO modules.

All in all, we analyzed a PCAP trace with Wireshark and found out with a few clicks that the Zeus malware delivers its payload by a PowerShell one-liner5.

I hope you liked this post. If you have any questions, feel free to leave a comment in the comment section. Never stop learning!