SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zeus_openssl (Back to overview)

Zeus OpenSSL

aka: XSphinx

This family describes the Zeus-variant that includes a version of OpenSSL and usually is downloaded by Zloader.

In June 2016, the version 1.5.4.0 (PE timestamp: 2016.05.11) appeared, downloaded by Zloader (known as DEloader at that time). OpenSSL 1.0.1p is statically linked to it, thus its size is roughly 1.2 MB. In subsequent months, that size increased up to 1.6 MB.
In January 2017, with version 1.14.8.0, OpenSSL 1.0.2j was linked to it, increasing the size to 1.8 MB. Soon after also in January 2017, with version v1.15.0.0 the code was obfuscated, blowing up the size of the binary to 2.2 MB.

Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

Zeus Sphinx on the one hand has the following versioning ("slow increase")
- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)
- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)
- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)

Zeus OpenSSL on the other hand has the following versioning ("fast increase")
- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)
- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)
- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)

References
2020-03-30IBMAmir Gandler, Limor Kessem
@online{gandler:20200330:zeus:bef1da7, author = {Amir Gandler and Limor Kessem}, title = {{Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy}}, date = {2020-03-30}, organization = {IBM}, url = {https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/}, language = {English}, urldate = {2020-04-01} } Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy
Zeus OpenSSL Zloader
2016-08-16SecurityIntelligenceLimor Kessem, Denis Laskov, Ziv Eli
@online{kessem:20160816:brazil:0bc05a3, author = {Limor Kessem and Denis Laskov and Ziv Eli}, title = {{Brazil Can’t Catch a Break: After Panda Comes the Sphinx}}, date = {2016-08-16}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/}, language = {English}, urldate = {2020-01-08} } Brazil Can’t Catch a Break: After Panda Comes the Sphinx
Zeus OpenSSL
Yara Rules
[TLP:WHITE] win_zeus_openssl_auto (20230407 | Detects win.zeus_openssl.)
rule win_zeus_openssl_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.zeus_openssl."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_openssl"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 2bda 8d0c81 894dac 8955b4 b801000000 8bcb 03d3 }
            // n = 7, score = 1300
            //   2bda                 | sub                 ebx, edx
            //   8d0c81               | lea                 ecx, [ecx + eax*4]
            //   894dac               | mov                 dword ptr [ebp - 0x54], ecx
            //   8955b4               | mov                 dword ptr [ebp - 0x4c], edx
            //   b801000000           | mov                 eax, 1
            //   8bcb                 | mov                 ecx, ebx
            //   03d3                 | add                 edx, ebx

        $sequence_1 = { 8ac2 24fc 3ce0 0f8490000000 0fb6c2 80fa0f }
            // n = 6, score = 1300
            //   8ac2                 | mov                 al, dl
            //   24fc                 | and                 al, 0xfc
            //   3ce0                 | cmp                 al, 0xe0
            //   0f8490000000         | je                  0x96
            //   0fb6c2               | movzx               eax, dl
            //   80fa0f               | cmp                 dl, 0xf

        $sequence_2 = { 8bd1 c1e205 2bd1 8bce c7460471000000 e8???????? 837e6c00 }
            // n = 7, score = 1300
            //   8bd1                 | mov                 edx, ecx
            //   c1e205               | shl                 edx, 5
            //   2bd1                 | sub                 edx, ecx
            //   8bce                 | mov                 ecx, esi
            //   c7460471000000       | mov                 dword ptr [esi + 4], 0x71
            //   e8????????           |                     
            //   837e6c00             | cmp                 dword ptr [esi + 0x6c], 0

        $sequence_3 = { 83c408 e9???????? 83bf8800000004 0f84b2000000 3bd1 0f84aa000000 8b8fbc160000 }
            // n = 7, score = 1300
            //   83c408               | add                 esp, 8
            //   e9????????           |                     
            //   83bf8800000004       | cmp                 dword ptr [edi + 0x88], 4
            //   0f84b2000000         | je                  0xb8
            //   3bd1                 | cmp                 edx, ecx
            //   0f84aa000000         | je                  0xb0
            //   8b8fbc160000         | mov                 ecx, dword ptr [edi + 0x16bc]

        $sequence_4 = { 75f0 41 3bca 72f6 }
            // n = 4, score = 1300
            //   75f0                 | jne                 0xfffffff2
            //   41                   | inc                 ecx
            //   3bca                 | cmp                 ecx, edx
            //   72f6                 | jb                  0xfffffff8

        $sequence_5 = { 7308 85db 0f8461020000 85c0 0f84c1030000 33ff 83f803 }
            // n = 7, score = 1300
            //   7308                 | jae                 0xa
            //   85db                 | test                ebx, ebx
            //   0f8461020000         | je                  0x267
            //   85c0                 | test                eax, eax
            //   0f84c1030000         | je                  0x3c7
            //   33ff                 | xor                 edi, edi
            //   83f803               | cmp                 eax, 3

        $sequence_6 = { 8b4de0 89480c 8b4de8 894810 8b4df4 8938 }
            // n = 6, score = 1300
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   89480c               | mov                 dword ptr [eax + 0xc], ecx
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   894810               | mov                 dword ptr [eax + 0x10], ecx
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8938                 | mov                 dword ptr [eax], edi

        $sequence_7 = { 0f849c010000 8b5dfc 8b7e5c 8b4e6c 8b462c 2bcf }
            // n = 6, score = 1300
            //   0f849c010000         | je                  0x1a2
            //   8b5dfc               | mov                 ebx, dword ptr [ebp - 4]
            //   8b7e5c               | mov                 edi, dword ptr [esi + 0x5c]
            //   8b4e6c               | mov                 ecx, dword ptr [esi + 0x6c]
            //   8b462c               | mov                 eax, dword ptr [esi + 0x2c]
            //   2bcf                 | sub                 ecx, edi

        $sequence_8 = { c7463000000000 33c0 5e 8be5 5d c3 2b7e30 }
            // n = 7, score = 1300
            //   c7463000000000       | mov                 dword ptr [esi + 0x30], 0
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   2b7e30               | sub                 edi, dword ptr [esi + 0x30]

        $sequence_9 = { 3985e8fdffff 740a 41 3bca }
            // n = 4, score = 1300
            //   3985e8fdffff         | cmp                 dword ptr [ebp - 0x218], eax
            //   740a                 | je                  0xc
            //   41                   | inc                 ecx
            //   3bca                 | cmp                 ecx, edx

    condition:
        7 of them and filesize < 4546560
}
Download all Yara Rules