SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zeus_openssl (Back to overview)

Zeus OpenSSL

aka: XSphinx
VTCollection    

This family describes the Zeus-variant that includes a version of OpenSSL and usually is downloaded by Zloader.

In June 2016, the version 1.5.4.0 (PE timestamp: 2016.05.11) appeared, downloaded by Zloader (known as DEloader at that time). OpenSSL 1.0.1p is statically linked to it, thus its size is roughly 1.2 MB. In subsequent months, that size increased up to 1.6 MB.
In January 2017, with version 1.14.8.0, OpenSSL 1.0.2j was linked to it, increasing the size to 1.8 MB. Soon after also in January 2017, with version v1.15.0.0 the code was obfuscated, blowing up the size of the binary to 2.2 MB.

Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

Zeus Sphinx on the one hand has the following versioning ("slow increase")
- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)
- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)
- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)

Zeus OpenSSL on the other hand has the following versioning ("fast increase")
- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)
- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)
- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)

References
2020-03-30IBMAmir Gandler, Limor Kessem
Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy
Zeus OpenSSL Zloader
2016-08-16SecurityIntelligenceDenis Laskov, Limor Kessem, Ziv Eli
Brazil Can’t Catch a Break: After Panda Comes the Sphinx
Zeus OpenSSL
Yara Rules
[TLP:WHITE] win_zeus_openssl_auto (20230808 | Detects win.zeus_openssl.)
rule win_zeus_openssl_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.zeus_openssl."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_openssl"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c1e205 2bd1 8bce c7460471000000 }
            // n = 4, score = 1300
            //   c1e205               | shl                 edx, 5
            //   2bd1                 | sub                 edx, ecx
            //   8bce                 | mov                 ecx, esi
            //   c7460471000000       | mov                 dword ptr [esi + 4], 0x71

        $sequence_1 = { eb04 807dfd05 7607 814a1800100100 8a4dfe }
            // n = 5, score = 1300
            //   eb04                 | jmp                 6
            //   807dfd05             | cmp                 byte ptr [ebp - 3], 5
            //   7607                 | jbe                 9
            //   814a1800100100       | or                  dword ptr [edx + 0x18], 0x11000
            //   8a4dfe               | mov                 cl, byte ptr [ebp - 2]

        $sequence_2 = { 8b45f4 8b4850 8b45d0 23c2 894dcc 8b0481 8bc8 }
            // n = 7, score = 1300
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b4850               | mov                 ecx, dword ptr [eax + 0x50]
            //   8b45d0               | mov                 eax, dword ptr [ebp - 0x30]
            //   23c2                 | and                 eax, edx
            //   894dcc               | mov                 dword ptr [ebp - 0x34], ecx
            //   8b0481               | mov                 eax, dword ptr [ecx + eax*4]
            //   8bc8                 | mov                 ecx, eax

        $sequence_3 = { 895df0 0fb6de 0145f8 0fb745d2 0fb6ca 03cb bf01000000 }
            // n = 7, score = 1300
            //   895df0               | mov                 dword ptr [ebp - 0x10], ebx
            //   0fb6de               | movzx               ebx, dh
            //   0145f8               | add                 dword ptr [ebp - 8], eax
            //   0fb745d2             | movzx               eax, word ptr [ebp - 0x2e]
            //   0fb6ca               | movzx               ecx, dl
            //   03cb                 | add                 ecx, ebx
            //   bf01000000           | mov                 edi, 1

        $sequence_4 = { 48 7526 804dff04 884a01 eb19 804dff02 884a01 }
            // n = 7, score = 1300
            //   48                   | dec                 eax
            //   7526                 | jne                 0x28
            //   804dff04             | or                  byte ptr [ebp - 1], 4
            //   884a01               | mov                 byte ptr [edx + 1], cl
            //   eb19                 | jmp                 0x1b
            //   804dff02             | or                  byte ptr [ebp - 1], 2
            //   884a01               | mov                 byte ptr [edx + 1], cl

        $sequence_5 = { 894a04 83c620 83c120 81fee00f0000 }
            // n = 4, score = 1300
            //   894a04               | mov                 dword ptr [edx + 4], ecx
            //   83c620               | add                 esi, 0x20
            //   83c120               | add                 ecx, 0x20
            //   81fee00f0000         | cmp                 esi, 0xfe0

        $sequence_6 = { 83c608 03d0 895dfc 8955f8 897df0 3b75cc 72dc }
            // n = 7, score = 1300
            //   83c608               | add                 esi, 8
            //   03d0                 | add                 edx, eax
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   897df0               | mov                 dword ptr [ebp - 0x10], edi
            //   3b75cc               | cmp                 esi, dword ptr [ebp - 0x34]
            //   72dc                 | jb                  0xffffffde

        $sequence_7 = { 8b8d7cffffff 830204 5e c70101000000 33c0 5b }
            // n = 6, score = 1300
            //   8b8d7cffffff         | mov                 ecx, dword ptr [ebp - 0x84]
            //   830204               | add                 dword ptr [edx], 4
            //   5e                   | pop                 esi
            //   c70101000000         | mov                 dword ptr [ecx], 1
            //   33c0                 | xor                 eax, eax
            //   5b                   | pop                 ebx

        $sequence_8 = { 898bc41b0000 8b5dfc 2bf1 8b7df4 8bc8 c1e908 0fb6c9 }
            // n = 7, score = 1300
            //   898bc41b0000         | mov                 dword ptr [ebx + 0x1bc4], ecx
            //   8b5dfc               | mov                 ebx, dword ptr [ebp - 4]
            //   2bf1                 | sub                 esi, ecx
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   8bc8                 | mov                 ecx, eax
            //   c1e908               | shr                 ecx, 8
            //   0fb6c9               | movzx               ecx, cl

        $sequence_9 = { d1e8 83fe1f 7eeb 6683bfb800000000 7537 6683bfbc00000000 752d }
            // n = 7, score = 1300
            //   d1e8                 | shr                 eax, 1
            //   83fe1f               | cmp                 esi, 0x1f
            //   7eeb                 | jle                 0xffffffed
            //   6683bfb800000000     | cmp                 word ptr [edi + 0xb8], 0
            //   7537                 | jne                 0x39
            //   6683bfbc00000000     | cmp                 word ptr [edi + 0xbc], 0
            //   752d                 | jne                 0x2f

    condition:
        7 of them and filesize < 4546560
}
Download all Yara Rules