ZipB — The All You Can Infect Buffet

By Nati Tal (Guardio Labs), Itay Schechter (Guardio Security)

Late May 2022, a mysterious inconspicuous and steady malware campaign started to infect 1000s computers on a daily basis spreading all around the world — focusing heavily on Romania, Middle-East and South Asia Countries, while avoiding USA and Canada as much as possible.

Unlike other campaigns, this threat actor distributes any malicious payload it can get its hands on including variants of known tools like Zusi, Tiggre and Wacatac used as banking trojans, stealers and generic malware loaders. Versatility in payloads, password protected zip files, spear-phishing victims with deceptive download pages and hunderds of “disposable” domains are only part of the techniques used here to deceive and evade detection, while malvertising continues undisturbed.

ZipB — Quick Facts:

• Expected Damage: Banking, Social and Cloud Account Theft
• Daily Downloaded Malware Files: ~5000
• Infected devices per day: ~250–500
• Total Infected Devices (October 2022): ~50,000
• Malicious Payload: Variable variants of Zusi, Tiggre, Wacatac, etc.
• Payload Container: EXE or ZIP (with password “1234”)
• Malicious Domains in use: 500+ (changes every couple of hours)!
• First sighting: May 2022
• Geographical Distribution: World-Wide — Heavily Focused on Romania, Middle-East, and South Asia.
• Top Target Segments: Gaming, Streaming, Software Cracks, Adult
• Propagation Methods: Malvertising

Deceptive Download Pages to Gain Confidence

To propagate and push this kind of malware, one of the most popular techniques today is Malvertising — publishing deceptive ads using one or many of the legit ad networks active today. In this case, the ads are download landing pages trying to mimic the real download pages and content the visitor intended to get in the first place. As such, those bad ads are pushed to victims from numerous streaming, gaming, hacked software, and adult sites — shifting filenames and visuals to convenience even further.

Some examples of ZipB malvertising landing pages visuals:

A new tab is created with a download button, and once clicked gives you the zip archive password.

Note how in other cases the visuals mimic the exact look and feel of legit file sharing sites like transfernow.net as can be seen in the following example:

Fake transfernow download page used to deploy ZipB payloads

With the above pages, popping on the screen as new tabs after visitors unintentionally click anywhere on the website, the page is dynamically generating a malicious payload — setting its name using keywords or even specific filenames the visitor was looking for on the publisher's website and packing it as zip files or directly as exe files.

Disposable Domains and Real-Time Generated Links

While examining those malicious ads, we’ve witnessed another evasion technique used here to dynamically create the link for the bad file and avoid crawlers and security fingerprinting. This little piece of javascript code is requesting an up-to-date file download link that is valid for several minutes and using one of many disposable domains owned by this actor — changing every couple of hours!
See it here in this code snippet from the original landing page:

The XHR returns the following JSON formatted result with the URL for the malicious payload that was just generated:

{"success":true,"url":"https://q-her.xyz/100/download_torrent.zip"}

Later on, dynamically creates the <a> link tag, mimicking a click on it to initiate the download itself, and lastly — removes the entire new link tag from the page leaving no trace of the download link.

The download link generation is also well-managed, using more than 500 domains so far and counting! Those domains are changed every several hours, continuing to spread malicious payloads without giving traditional security mechanisms a chance to block them. Following are some examples of malicious domains used here:

load-a.com
load-a.xyz
load-after.xyz
load-and.com
load-and.xyz
load-any.xyz
load-back.xyz
load-be.com
load-be.xyz
load-call.xyz
load-child.xyz
load-come.xyz
load-down.xyz
sendclub.xyz
sendinfo.xyz
sendise.xyz
sendish.xyz
sendland.xyz
sendless.xyz
sendlyze.xyz
sendmarket.xyz
sendous.xyz
sendplus.xyz
sendshop.xyz
sendyze.xyz
to-cow.xyz
to-dramatic.xyz
to-emotion.xyz
to-energy.xyz
to-etc.xyz
to-myth.xyz
to-nerve.xyz
to-period.xyz

Obviously, there is a dictionary-based bot registering those domains on a daily basis. And yep, this works too well!

Overcoming the Traditional Detection Methods

At the end of the day, this well-oiled operation gives this threat actor an advantage. Here is a real-life example of how 2 malicious downloads are handled by traditional security measures — one being blocked by Chrome, while the next — downloaded from the SAME landing page and same malicious domain, is accepted as safe:

Chrome’s downloads manager detects only one of the malware variants

With all the above, we see here a global campaign directed to nearly all countries, with some focus on East Europe and South Asia (which sounds familiar as with earlier Zusi/Tinba and other banking trojan campaigns in the past):

ZipB world-wide activity heat-map and focused areas

Of course, changing domains is not enough to get to this successful distribution. There are some more key features in this campaign leveraging versatility in other areas as well.

Encrypted ZIPs and Carefully Generated Filenames

ZipB’s first big differentiation is the use of encrypted Zip files with the dubious password of “1234”. You might think that if the password is known (and even presented in large red font) so why bother?

Well, first of all — password-protected zip files can’t be auto-scanned by traditional anti-virus solutions. They just can’t open those files without knowing the password (as simple as it is).

Secondly, encryption creates high entropy in the file content, and changing encryption as well as zip compression configurations together will give the attacker a simple way to create almost endless and totally different payloads that are actually the same malware exactly. This is why we see so many filesizes — almost every download of ZipB is a totally different file!

In the graph below we can see some peaks in EXE file sizes (indicating there are around 3–4 major variants there) while the ZIP file sizes go all over the place. Small sizes, very powerful malware inside, yet so variable you can’t really use file hash as an indication!

File size variations (EXE and ZIP Files)

Along the campaign, ZipB’s actors tried for a few days to deliver EXE files directly (like good old times) reverting back to ZIP files after a few trial days. Currently (As of October 2022) they are back in the EXE game delivering different payloads of different trojan variants. In the graph below we can see how the activity is gaining momentum after a slow start, keeping the pace and trying around EXE or ZIP files with variable malware infrastructures each time:

Estimated ZIP/EXE payloads per day along the time span of the campaign

One last thing this campaign leverages is the deceptive filename generation. With tons of identifiers and tracking data harvested by the ad network, the ZipB landing page is also fed with details on the original intent of the current victim. The new tab with the fake download page comes just in time with the file, movie, game patch, or hacked software that victims were looking to download. Note that in many cases, victims clicked on the real download link yet that click was hijacked by the advertisement script to open the ad tab and present the false download page — very misleading and so easy to take this bait.

No wonder we see so many different filenames suggesting who is being targeted here. Some of the most common examples:

Gaming:
robloxscripts.exe
roblox_blox_fruits_script.exe
minecraft_v1_19_1_zip_______________________.exe
microsoft_flight_simulator_2020_free_download.exe
jurassic_world_evolution_2_download_pc___crack.zip
pokemon_sword_(nsp)(expansion_pass)_rar.zip
Movie Streaming:
thor__god_of_thunder_(2022).zip
bullet_train_2022_1080p_webrip_x264-rarbg_mp4.exe
Academy/Tech:
chemistry_of_petrochemical_processes.zip
designing_audio_power_amplifiers.zip
assembly-csharp_rar.zip
italian_renaissance_art__understanding_its_meaning.exe
Computers/Hacking:
instagram_bot_pro_v5_1_1_full_activated_-_www_d___.exe
windows_10_lite_1511_by_@_xerifetech_zip.zip
krnl_executor_-_how_to_download_latest_krnl_exe___.exe
setup_full_crack.zip

Summary

Yet another well-managed campaign, hundreds of domain names, 100k+ malicious ads a day, with some interesting twists giving these threat actors the advantage:

• Versatile Malware Infrastructures — Using different variants of trojans allows for avoiding detection as well as redundancy.
• Encrypted ZIP container — Generating a different container file with high entropy to avoid detection by traditional AVs, hash calculation, and binary fingerprints.
• Low rate and Steady — keeping the operation just enough under the radar, playing the long-term game.
• High-Rate of disposable domains — A new xyz (And something even com domains) every few hours to avoid being blocked.
• Auto-Generated One-Time Files — A mechanism to generate payloads in real time and create short-term links to avoid crawlers and detection by automated as well as manual security analysis.

With the above, as well as other mechanisms of deception we’ve seen here, no wonder this campaign earns high and steady success rates. We can observe this in this graph showing us the conversion rate from being presented with this fake deceptive download page to actually clicking and downloading the malicious files:

Conversion rate from landing page view to actual click to download the malicious payload

With an average of around 20% conversion to download, and even with 5% actually installing the malicious payload — we can estimate at least 50,000 infected devices so far!

Monetizing these devices can be very fruitful for those threat actors. This is a very powerful piece of malware (all different variants used here), allowing full control of those infected devices and continuous credentials and financial data harvesting as well as deployment of more tools and capabilities to push it even further.

Be careful when you travel around the realms of the internet, and double-check those new tabs that are mysteriously appearing with exactly what you were looking for…

IOCs

Malvertising Landing Pages:
a-softs[.]com
big-softs[.]com
download-stock[.]com
ee-softs[.]com
el-softs[.]com
file-downloader[.]org
filedownload-stock[.]com
fileload-stock[.]com
for-soft[.]com
have-soft[.]com
ji-soft[.]com
oberonfilemanager[.]com
oberonfiles[.]com
of-soft[.]com
over-softs[.]com
soft-exchange[.]net
soft-make[.]com
soft-take[.]com
soft-you[.]com
softs-labs[.]com
soon-soft[.]com
that-soft[.]com
the-softs[.]com
win-softs[.]com
window-soft[.]com
xxl-soft[.]com
Malware Hosting Domains:
Click here for gist of full list as of 02/10/2022
Malware File Hashes (Most Common):
a731023a8c940ad786b588f60936ad43665831459a18967873a342fc21e1687b
66d94d665befdc11b7595cb8d324e646995f89416a2679c2fdd4ccb31ea2bbf6
d3e43d9ddddf36aac447b040a8cd27d39a269375972f3e68bd005933f3300ff2
c9cd77c94969edb2fffe556fcd0b3dabaafda18c374ff8b6131b6ae444136603
2a13ad98cb2aa4ec85c965ef4b3d128cbc44ca11f08e2a6859881451a2cb48d0
dfc6e953df0b80363378919cf494ec1a0e80799c66ddc2621504d350b6c19783
6941622c7719877eb79b6d0d819764cf201250d846eed984f3fc1f3cfb9f4c49
1a9fcbb136dcb6ae41bb49cba400931ad2595afdae271372d4c18abc95c0890f
7bfce356cc75bf150f8d24008f93f0be0271bb76f6c5eb0b36f6453caa9754e6
75d4eb87d40b2ad957fd2880b34cfb6269a6e2459bfab719935effaa3d3e8be2
e0c446bc0fdd8033aad7dc34f8cc322287fddb1704283429cfee25d13a88fe40
7fc3d2209fd518b535e131be39f81cbacaa06c34b86ac351a33d5f13ff0c98f5
51b605232af81196ecaf9e7d1639bd15a5ba6a852d2872b751eca96dcb978fec
c2af14ad30ca58dc48f9d23f084ba2ed214c36968a573b1219c1867090e32262
51c211e506f6e27d33a8c8da2dda895075f2d6e5ed742c3d8e9df366db7438bc
9c81e983fdc8923ad7129fea00a3e1c8641562a437328b84b1c420048ecd1bc8
e156e36c6785bc5d37d9155685be06e437ccea02bb5b87e21d9e5fb8040116e2
a47ec4ffd961aef2063e174c987a021bbaff55f849b92718d83e9b340176ea88