Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Silent Night: A New Malware-as-a-Service Banking Trojan Analyzed

Silent Night is a new sophisticated and heavily obfuscated Zloader/Zbot, ZeuS-derived banking trojan.

Silent Night is a new sophisticated and heavily obfuscated Zloader/Zbot, ZeuS-derived banking trojan.

In March 2020, both FireEye and IBM reported a malicious campaign targeting COVID-19 financial compensation schemes. FireEye called the malware payload ‘SILENTNIGHT’; IBM described it as a ZeuS Sphinx/Terdot variant. Together they are right. Silent Night is a new ZeuS derivative, currently being offered under the malware-as-a-service (MaaS) model.

Malwarebytes (PDF) and HYAS have jointly published a detailed analysis of this new malware. Silent Night version 1.0 was compiled in November 2019. At around the same time, it was offered for sale on the Russian underground forum, forum.exploit[.]in, by a seller known as Axe. Axe claims it as his own banking trojan, and says he has spent more than 5 years developing it. But while it is certainly new, the Malwarebytes/HYAS analysis demonstrates its debt to both the original ZeuS and more recent derivatives such as Terdot.

The price is steep for MaaS: $4,000 per month for a unique build; $2,000 per month for the general build; and $500 just to test it for 14 days. In general, MaaS is used to attract the huge market of less experienced or wannabe hackers with a low-cost, easy-to-use supported malware — while simultaneously providing the developer with a steady income stream. Infostealers are common MaaS offerings.

Priced at $4,000 per month, Axe seems to be targeting a different market — perhaps the smaller number of better-financed organized gangs with a ready-made distribution and laundering infrastructure who still wish to use commodity, but sophisticated, malware. It has already been seen being dropped by the RIG exploit kit, and used in a COVID-19 spam campaign targeting the U.S., Canada and Australia with weaponized Word documents. A more recent campaign uses Excel sheets with embedded macros, while yet another uses an attached VBS script.

One stand-out feature of Silent Night is the extent of its obfuscation. It uses a custom specially developed obfuscator that morphs all code and encrypts strings and all constant values within the code. The output, say the researchers, is a very confusing code without any serious effect on performance. “Decryption of lines occurs on the fly on demand, which will be stored temporarily on the stack,” write the researchers. “Decryption of constant values also occurs on the fly, for each of which has its own unique function of decryption… Thus, with each assembly we get a unique file and any signature will be knocked down in one click.”

The researchers also found a Silent Night user manual, which gave them insight into the different features within the malware. Interestingly, the researchers found a list of available commands embedded in one of the modules. This list includes all the commands described in the user manual, but with a few extras, such as fetching files and getting passwords. The implication is that Axe is continuing to develop and extend the malware’s capabilities.

The attack starts with the Silent Night loader, most commonly delivered as an attachment. If the MaaS Silent Night model becomes more widely used by criminal gangs, we will most likely see additional methods of distribution. When executed, it runs msiexec and injects itself there. The loader then retrieves the Silent Night bot from either the C2 server, or from local storage, and injects it into the same instance of msiexec

Advertisement. Scroll to continue reading.

Major functionality in the bot includes a VNC server, a man-in-the-browser local proxy, and stealer functionality. The VNC server gives the attacker remote access and runs in background while the malware is operational.

The man-in-the-browser functionality provides both formgrabbing and webinjects. The malware installs its own fake certificate and runs a local proxy.

The bot can also operate as a classic stealer. One of the threads from the main function is responsible for stealing cookies, saved credentials and files. However, the commands accumulated in this thread can be also executed separately, on demand, by deploying dedicated remote commands.

Silent Night is well-written with an improved modular design over previous ZeuS derivatives (such as Terdot), rather than revolutionary. “Apart from the custom obfuscator,” say the researchers, “there is not much novelty in this product. The Silent Night is not any game changer, but just yet another banking Trojan based on ZeuS.” Having said that, it is worth remembering that the obfuscator effectively creates new code every time it is used. This may be ‘yet another banking Trojan’, but it is not one that will be easily detected by signature detection alone.

Related: Zeus Source Code Leaked: Is This Really a Game Changer? 

Related: New “Panda Banker” Trojan Borrows Code From Zeus 

Related: Zberp: New Trojan Created From Leaked Zeus, Carberp Source Code 

Related: Addressing the Challenges Cybercrime-as-a-Service Serves Up 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.