Zeus Panda’s Modular Functions Provide Insight into Botnet Malware Capabilities

One core element of the information security mission is the successful assessment of the risk posed to an organization by a malware sample or malware variety delivered by a phishing email. In 2017, phishers have embraced the use of adaptable and flexible malware to gain initial footholds in a network before monetizing the infected host. The intersection of these two missions creates a scenario in which open-ended, adaptable botnet malware challenges information security professionals to prepare for a wide array of malware capabilities–in some case without much insight into the real risks posed by a malware tool.

However, in some cases a malware tool can reveal most, if not all, of its capabilities in a way that helps an organization identify malware risks. The Zeus Panda botnet malware is one of the more popular malware tools this year, and its use has been documented in numerous phishing attacks. It wholly embodies the principles of a multipurpose botnet tool by providing threat actors with a number of avenues for monetizing infected hosts. The tenacity and creativity with which threat actors have delivered this malware makes it a prominent constituent of the threat landscape but with limited expressions of its capabilities. Yet, understanding those capabilities is crucial for network defenders to understand the impact this malware can have within a protected environment.

Through analysis of behavior exhibited by Zeus Panda samples, PhishMe researchers uncovered a comprehensive assessment of this botnet tool’s capabilities. These capabilities were described through a list of module commands to either execute a task or update a module to support enhanced capabilities. The list below lists some operations for these modules.

Zeus Panda module tasks
mod_execute grab2 user_cookies_get
mod_execute grab2 user_passes_get
mod_execute info get_info
mod_update grab2
mod_update http
mod_update info
mod_update klog
mod_update pony
mod_update socks
mod_update vnc_p
mod_update vnc_p2
mod_update vnc_p3
user_execute url

Figure 1 – Zeus Panda modules provide a great deal of information about its capabilities

These module execution and update references can be interpreted as a guide to the capabilities of the Zeus Panda malware. For example, “grab2 user_cookies_get” and “grab2 user_passes_get” both imply that information stored in a browser cookie cache or password safe may be available to the “grab2” module. This could provide an avenue for threat actors to steal browser-session data or passwords for reuse. Similarly, the “info” module may provide reconnaissance about infected environments via the collection of information about the infected host. This information can be in turn leveraged in conjunction with the “user_execute” command to customize an attack through the deployment of a more specialized malware tool.

Other available modules–“klog”, “pony”, and “socks”–imply keylogger, Pony information stealer, and SOCKS proxy capabilities are available to the threat actor. Each of these would greatly enhance the threat actor’s insight into victim activity, stored passwords and credential data, and the ability to abuse the infected machine as a network proxy or traffic relay respectively. Additionally, a series of VNC modules would give the threat actor an option for full remote control of infected hosts.

Each of these elements from this brief list of module execution and update operations can be used to provide network defenders and information security professionals with an assessment of the risks posed by Zeus Panda. Furthermore, if a sample of this malware is present within a protected environment, comparing network communications and endpoint artifacts with this list of capabilities can help in the response process as well.

As malware creators and phishing threat actors further commoditize malware tools to maximize their opportunities and options regarding infected hosts, collecting intelligence on the capabilities available to those threat actors becomes increasingly important. A comprehensive defense strategy must include response plans and anticipatory defenses to limit a malware’s impact as well as prevent its successful deployment. The first step is empowering email users to recognize phishing techniques and report suspicious emails. Beyond this crucial first step, responders must be empowered to understand the risks posed by the malware these emails deliver to better defend the enterprise.

Don’t become another statistic: PhishMe® is now FREE for small businesses under 500 employees. Learn more.

Locky Ransomware Keeps Returning After Repeated Absences
The PhishMe 2017 Excellence Awards Nominations are Open!

Leave a Reply