SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zeus_openssl (Back to overview)

Zeus OpenSSL

aka: XSphinx

This family describes the Zeus-variant that includes a version of OpenSSL and usually is downloaded by Zloader.

In June 2016, the version 1.5.4.0 (PE timestamp: 2016.05.11) appeared, downloaded by Zloader (known as DEloader at that time). OpenSSL 1.0.1p is statically linked to it, thus its size is roughly 1.2 MB. In subsequent months, that size increased up to 1.6 MB.
In January 2017, with version 1.14.8.0, OpenSSL 1.0.2j was linked to it, increasing the size to 1.8 MB. Soon after also in January 2017, with version v1.15.0.0 the code was obfuscated, blowing up the size of the binary to 2.2 MB.

Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

Zeus Sphinx on the one hand has the following versioning ("slow increase")
- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)
- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)
- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)

Zeus OpenSSL on the other hand has the following versioning ("fast increase")
- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)
- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)
- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)

References
2020-03-30IBMAmir Gandler, Limor Kessem
@online{gandler:20200330:zeus:bef1da7, author = {Amir Gandler and Limor Kessem}, title = {{Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy}}, date = {2020-03-30}, organization = {IBM}, url = {https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/}, language = {English}, urldate = {2020-04-01} } Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy
Zeus OpenSSL Zloader
2016-08-16SecurityIntelligenceLimor Kessem, Denis Laskov, Ziv Eli
@online{kessem:20160816:brazil:0bc05a3, author = {Limor Kessem and Denis Laskov and Ziv Eli}, title = {{Brazil Can’t Catch a Break: After Panda Comes the Sphinx}}, date = {2016-08-16}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/}, language = {English}, urldate = {2020-01-08} } Brazil Can’t Catch a Break: After Panda Comes the Sphinx
Zeus OpenSSL
Yara Rules
[TLP:WHITE] win_zeus_openssl_auto (20220516 | Detects win.zeus_openssl.)
rule win_zeus_openssl_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.zeus_openssl."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_openssl"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b5df4 8b4638 8b4e58 0fb67c1802 8b4648 }
            // n = 5, score = 1300
            //   8b5df4               | mov                 ebx, dword ptr [ebp - 0xc]
            //   8b4638               | mov                 eax, dword ptr [esi + 0x38]
            //   8b4e58               | mov                 ecx, dword ptr [esi + 0x58]
            //   0fb67c1802           | movzx               edi, byte ptr [eax + ebx + 2]
            //   8b4648               | mov                 eax, dword ptr [esi + 0x48]

        $sequence_1 = { 741f f6c508 0f8484000000 814a1808010000 668b03 66894210 83c302 }
            // n = 7, score = 1300
            //   741f                 | je                  0x21
            //   f6c508               | test                ch, 8
            //   0f8484000000         | je                  0x8a
            //   814a1808010000       | or                  dword ptr [edx + 0x18], 0x108
            //   668b03               | mov                 ax, word ptr [ebx]
            //   66894210             | mov                 word ptr [edx + 0x10], ax
            //   83c302               | add                 ebx, 2

        $sequence_2 = { 8bc8 8986bc160000 83f90b 7e50 8b7d08 8b5614 }
            // n = 6, score = 1300
            //   8bc8                 | mov                 ecx, eax
            //   8986bc160000         | mov                 dword ptr [esi + 0x16bc], eax
            //   83f90b               | cmp                 ecx, 0xb
            //   7e50                 | jle                 0x52
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8b5614               | mov                 edx, dword ptr [esi + 0x14]

        $sequence_3 = { 33c0 668981b8160000 8981bc160000 8b4108 881c02 ff4114 8b7114 }
            // n = 7, score = 1300
            //   33c0                 | xor                 eax, eax
            //   668981b8160000       | mov                 word ptr [ecx + 0x16b8], ax
            //   8981bc160000         | mov                 dword ptr [ecx + 0x16bc], eax
            //   8b4108               | mov                 eax, dword ptr [ecx + 8]
            //   881c02               | mov                 byte ptr [edx + eax], bl
            //   ff4114               | inc                 dword ptr [ecx + 0x14]
            //   8b7114               | mov                 esi, dword ptr [ecx + 0x14]

        $sequence_4 = { 3c80 741c 80e2fe 80fac2 0f85edfeffff 8b45d8 3bf8 }
            // n = 7, score = 1300
            //   3c80                 | cmp                 al, 0x80
            //   741c                 | je                  0x1e
            //   80e2fe               | and                 dl, 0xfe
            //   80fac2               | cmp                 dl, 0xc2
            //   0f85edfeffff         | jne                 0xfffffef3
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   3bf8                 | cmp                 edi, eax

        $sequence_5 = { 8bd8 33c0 6a1c 8945f0 8845ff }
            // n = 5, score = 1300
            //   8bd8                 | mov                 ebx, eax
            //   33c0                 | xor                 eax, eax
            //   6a1c                 | push                0x1c
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8845ff               | mov                 byte ptr [ebp - 1], al

        $sequence_6 = { 8b55f4 8bc6 2b45c0 3bd0 0f860d010000 8bca }
            // n = 6, score = 1300
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   8bc6                 | mov                 eax, esi
            //   2b45c0               | sub                 eax, dword ptr [ebp - 0x40]
            //   3bd0                 | cmp                 edx, eax
            //   0f860d010000         | jbe                 0x113
            //   8bca                 | mov                 ecx, edx

        $sequence_7 = { 66d3e2 660990b8160000 03ce 8b55e4 }
            // n = 4, score = 1300
            //   66d3e2               | shl                 dx, cl
            //   660990b8160000       | or                  word ptr [eax + 0x16b8], dx
            //   03ce                 | add                 ecx, esi
            //   8b55e4               | mov                 edx, dword ptr [ebp - 0x1c]

        $sequence_8 = { e9???????? 8bc8 c1e910 0fb6c0 894b44 8b4df4 8b5dfc }
            // n = 7, score = 1300
            //   e9????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   c1e910               | shr                 ecx, 0x10
            //   0fb6c0               | movzx               eax, al
            //   894b44               | mov                 dword ptr [ebx + 0x44], ecx
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8b5dfc               | mov                 ebx, dword ptr [ebp - 4]

        $sequence_9 = { 3b0a 740b 40 83c228 3bc6 72f4 }
            // n = 6, score = 1300
            //   3b0a                 | cmp                 ecx, dword ptr [edx]
            //   740b                 | je                  0xd
            //   40                   | inc                 eax
            //   83c228               | add                 edx, 0x28
            //   3bc6                 | cmp                 eax, esi
            //   72f4                 | jb                  0xfffffff6

    condition:
        7 of them and filesize < 4546560
}
Download all Yara Rules