Zeus Evolution.Is RBN really linked to Facebook Zeus variant?

Pierluigi Paganini June 12, 2013

Is RBN (Russian Business Network) really linked to Facebook Zeus variant? Exclusive interview with WhiteHat who has investigated on the malware.

RBN or ordinary crime, Zeus is appearing in new forms and using new infection channels but according some security analysts behind new a variant there could be the support of members of dangerous criminal organization RBN.

As described in a previous post principal security firm detected a new variant of Facebook Zeus malware that is exploiting the popular social network to target user’s bank accounts. The Facebook Zeus malware variant, known as ZeuS/ZBOT, is the demonstration of the longevity of malicious code and the ability of cybercrime to customize it according to its needs.

The Facebook Zeus virus has been designed with the intent to steal money from the user’s bank accounts,  the malicious code exploits phishing messages as a method of propagation. A compromised account  is used to automatically send messages to its contact with links to ads, usually to video or product.

Eric Feinberg, founder of the advocacy group Fans Against Kounterfeit Enterprise (FAKE) declared that has tried to warn Facebook on the diffusion of the cyber threat. I contacted Mr Feinberg requesting major info on the event and he told me:

“Best way to describe how we uncover the Zeus Malware is as follows. I observed that the Russian Business Network was created Fake Facebook Profiles that were posted .tk links to websites selling counterfeit Merchandise. The .tk links caught my attention when i did url query of these .tk links url query report listed these as likely hostile and from the Russian Business Network. I turn the links over to a colleague who identified the Zeus Botnet”

RBN wholesale-dress

RBN wholesale-dress2

RBN wholesale-dress3

The Zeus rebirth hides also a mysterious particular, according to the revelation of a talented researcher, I’ll call him “WhiteHat”, that conducted for a first investigation on malicious agent it could be linked to the Russian Business Network, a terrible Russian criminal gang that seems to be not more active.

The doubt is shared by part of the security community that is convinced that members of the organization are still actively operating in governments probably involved in cyber espionage campaigns such as Red October.

I was curious to have news on the link within the crime organization RBN and the malware so I contacted directly “White Hat”, following my interview with the researcher.

Q:  How did you find the Zues Zbot?

A: really it was mostly OSINT that led us to it.  We found urls with multiple proxies stemming from .tk but going through places like the Netherlands and China, I referred it to a whitehat team and they used proprietary software to find the payload being spread.
Q: How did you find it led back to RBN?
A: Again, this was mostly done with a mix of HUMINT OSINT and proprietary software.  It wasn’t done by me personally, but a team of whitehats I work with. The following  image shows multiple proxies along with an identified source of the Russian Business Network as well as the strong threat and possibility of containing a malicious bot.  Analysis shows that this bot is indeed the Zues/Zbot CnC.
RBN urlquery
Q:  What do you think of Trend Micro’s report that it peaked last month and is declining?
A:  I think it’s too soon to tell.  After Eric Feinberg and Malloy Labs, along with the white hats, found the payload and source the attacks have been increasing in both complexity of proxies used as well as increasing in links showing up.  I honestly think it’s too soon to tell if the peak was last month or if it will be this month or if the growth is the sign of an exponential trend in increase of attacks.  We’re starting to see a change in the OSINT such as IE cache manipulation to hide what might flag the IP as a malware infector.  Malloy Labs is working very closely with the US military and FBI to develop a system of defense to be used in cases like this.  Eric and Ian are very committed to providing Facebook with a vaccine as opposed to an after-the-fact medication.
Q:  Has there been any blowback?  Hacks against you or your website?
A:  Malloy Labs runs a site ‘off the grid’ and there has been no kinetic attempts at retribution for our attribution.  As I’ve said, I’ve done OSINT while others carry out the HUMINT and attribution using their own software.  A group of White-Hat hackers has done a tremendous job in this case using proprietary software they’ve built over the years fighting malware.
Q:  What would you say to Facebook right now?
A:  Eric and Malloy Labs are here to help you solve a serious issue with your systems and gladly offer their services.  I firmly believe everyone can come to a mutually beneficial arrangement between each other and fix this issue.
Q:  What would you say to RBN?
A:  I cannot condone what you are doing but it need not spill over into the kinetic environment.  Cease taking advantage of the less tech-savvy on Facebook and turn your efforts elsewhere if disbanding is not an option.  I know crime seems easy to commit with large payoffs but it is theft, plain and simple and I know of no one with a noble heart who condones theft.
Q:  Do you work for Ian or Eric directly?
A:  No, I’m ex-spec ops.  I’m more widely known as @th3j35ter but I run several sock puppets and work alone.  In this case I found a common enemy between myself, Malloy Labs, Eric, RBN and Facebook.
Who is using the RBN structures? Is RBN still active and which is its primary activity today? Where are they based?
Meantime the Security community is finding world wide evidence of Zeus action, new variants are detected by principal security firms.  Usually Zeus is spread via exploit kits, phishing schemes, and social media, but recently Trend Micro security experts have recently spotted a variant that propagates itself through removable drives.  The malicious code is delivered via a malicious PDF file disguised as a sales invoice document, if the victim tries to open it he faces with a notice that inform the user the impossibility to open it because “use of extended features is no longer available.”  In the background, the malware has already been silently dropped onto the system infecting it.
At this point the malware contacts C&C center to update itself and it checks whether removable drives are connected with the computer, and if there are, it drops a copy of itself in a hidden folder, then creates a shortcut to it.
New ZeuS Malware via USB Flash Drives
Zeus is confirmed as one of the favorites from malicious code by cybercrime, there are many communities that offer, even as a service, variations in its operation, it is likely that they behind them there are also concealed members of organizations well known to law enforcement that are considered dormant or undertaking other activities.
Pierluigi Paganini
(Security Affairs – Zeus, Cybercrime, RBN)

you might also like

leave a comment