Tracking and Mitigating Zyklon Phishing Using Threat Intelligence and Yara

The Zyklon HTTP Botnet malware is a tool that is readily accessible to threat actors in online criminal marketplaces and has been observed in use for various criminal activities. Among its features is the ability to log the keystrokes typed by a victim as well as to collect other private or sensitive information, and one of the most notable uses for Zyklon has been as a downloader and delivery tool for the Cerber encryption ransomware. Over a dozen unique campaigns to deliver this malware have been identified and reported by PhishMe Intelligence and it represents one of the most rapidly-growing constituents on the threat landscape. Each time the Zyklon malware is identified, it has followed a relatively-straightforward and mainstream method for infecting victims. With only one exception, Zyklon has been delivered using Microsoft Word documents with hostile macro scripting used to deliver the botnet malware payload.

The infection process used to deliver the Zyklon botnet malware via phishing email and its subsequent use to deliver the Cerber ransomware represent the culmination of two key phishing trends. First, for several years now, the use of Office documents with malware delivery macro scripting has been among the most popular methods for malware delivery. Attached to each email is a Microsoft Word document which, when opened, prompts the victim to enable the macro scripting. This scripting is designed to download and run its malware payload. Second, the use of the Cerber ransomware demonstrates that the threat actors are savvy to and aware of the success that ransomware has granted criminals generally, but also of how Cerber provides a reliable tool for generating financial gains.

Intelligence reporting about these methods and infrastructure used to support this malware can provide network defenders and information security professionals with an edge over the phishing threat actor. However, this represents only one part of a holistic and comprehensive phishing defense strategy. Another element is the enrichment of detection and incident response applications through additional formats of threat intelligence reporting.

Malware Filename MD5 Hash
Glenda Resume.doc f0005f05f2066dabcae87b2634f25da8
Thangappan Resume.doc 42d2b132a27288fc2cfed4262e5dd9e1
Chad Resume.doc 9d1b5f0c79c5cdd49ea28570e8846ce9
STEPHANIE-Resume.doc e2608bf25a3d3bd908874f675e57a6ab
Robert-Resume.doc 17ea9e6e2d11f66d9f67c1a9fddddf4c
James-Resume.doc 15f5321422681947fb64c7f3346e1c6c
35628.exe e02e58934958953ba1b57c7817247685
itunes.exe cbcf457cf70e33153a61542180a7cfca

Figure 1 – Examples of Microsoft Word documents and executables used to infect victims with Zyklon

One of the most valuable tools for malware researchers is the functionality provided by Yara. Classically, Yara is used to create rules that contain characteristic patterns used to match against file content for the purpose of classifying malware samples. However, the extensibility of this tool and its applications are far-reaching. Yara rules are a key component in the classification of emails within the PhishMe Triage platform and can be used therein to identify and even automate elements the appropriate response processes for reported emails. Many of the rules within the standard corpus of Yara rules in Triage are sourced from the analysis performed by PhishMe Intelligence. These rules describe the characteristics of phishing emails delivering malware content so they can be identified and mitigated within the Triage platform.

While anyone who receives a single copy of a phishing email can create a Yara rule to match that single message, carrying out the bulk collection of messages belonging to a single campaign can provide an avenue for writing Yara that describes all the phishing emails in that set. This provides a distinct advantage to Triage and Intelligence users when a threat actor reuses a distinctive phishing narrative or relies on a set template to craft their phishing emails. By creating Yara rules that capture all the possibilities for content of emails related to a set of phishing emails, it is possible to more rapidly identify and respond to a phishing threat.

As PhishMe has reported previously, phishers are not always the most original storytellers. Instead, they prefer to make it easy to mass produce a plausible narrative using just a handful of interchangeable parts. One scenario that demonstrates this principle is a recent trend in phishing emails delivering the Zyklon HTTP Botnet malware using a recurring “job applicant” narrative in an attempt to gain the attention and to appeal to hiring managers and human resources professionals.

Figure 2 – Fake job application emails used to deliver the Zyklon malware

One characteristic among these messages that became immediately clear to the Intelligence analysts at PhishMe was the use of content that replaces a limited number of elements in the message body with each new message. The exchange of these components in such a predictable manner allows for analysts to determine the elements that are changing and record these in the Yara rule. An example of this can be found in the following image:

Yara delivers

The Yara rule defines a number of characteristics of the emails used to deliver the Zyklon malware. First, it defines a list of subject lines from which the threat actor chooses one for each message. Next, the rule checks for the presence of a salutation and message lede–the initial hook meant to draw the reader into the narrative–matching a regular expression for when the threat actor claims to have visited the recipient’s website. The rule is then used to check for the presence of two elements within the message body–a notice that the victim is searching for either work or employment, part time or full time, in the recipient’s field or “job field”. A check for any among a long list of message closings is also present. Finally, to constrain this Yara rule’s matches to only those messages which deliver the type of malware attachment identified by Intelligence analysts, the rule checks for appropriate binary and string content within the content of the message attachment.

While the threat actors may believe they have crafted a foolproof message schema to evade detection by email security solutions, given a sufficient sample set it is possible to enumerate most or even all of the possible options for message content. This allows for information security professionals to create a means for detecting and engaging these emails and undermining the threat actor’s success.

However, threat actors with the ability to create such a robust email generation scheme are also able to modify their templates with ease. Shortly after the analysis of this first set of Zyklon phishing emails, yet another set arrived using a slightly different message template. This new template, while similar, introduced new elements not covered by the original PhishMe Intelligence Yara corpus. However, these new elements were also immediately captured and represented in a new Yara rule:

Figure 4 – Updated Yara used to comprehensively identify newer Zyklon phishing emails

Rather than introduce multiple new complexities into the phishing email template, the phisher instead elected to utilize just one, new subject line. Given the sample set of emails matching this updated phishing email content, Intelligence analysts were able to rapidly produce a new Yara rule for deployment to the PhishMe Triage Yara corpus. This rapid turnaround allows Triage operators to gain insight into the Zyklon phishing emails reaching users within their enterprise and respond with agility and timeliness.

Phishing threat actors continue to leverage narratives with interchangeable elements because it enables them to give their emails a fresh look while changing just a handful of elements. This technique has been used to deliver many different malware varieties and will continue to be used in the future. Two of the largest challenges for information security professionals and those tasked with defending enterprises is to prevent phishing emails from being successful and to foil malware threats before they take hold.

Addressing these risks requires a holistic and comprehensive phishing defense strategy that empowers and enables every stakeholder in the enterprise to meet attackers head-on at every stage of the attack lifecycle. Each time a user reports a phishing email, the threat actor fails to succeed. To help handle these reports, security staff can utilize specialized applications designed to facilitate the processing and classification of suspicious email. As with any security solution or appliance, these tools must be tuned and enriched through the ingestion of the most timely and actionable rules, signatures, and threat intelligence context. When this is accomplished, an organization and those tasked with its defense can be prepared, agile, and ready to deny threat actors any opportunities for intrusion.

PhishMe Simulator™ customers can assess their susceptibility to this threat with a new phishing template called “Job Application – Zyklon”.

Learn about emerging trends and evolving threats in phishing malware with PhishMe’s Q1 Malware report, click here to download.

Threat Actors Leverage CVE 2017-0199 to Deliver Zeus Panda via Smoke Loader
Registration is Now Open for PhishMe Submerge 2017 – Phishing Defense Summit and User Conference

Leave a Reply