SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zeus_openssl (Back to overview)

Zeus OpenSSL

aka: XSphinx

This family describes the Zeus-variant that includes a version of OpenSSL and usually is downloaded by Zloader.

In June 2016, the version 1.5.4.0 (PE timestamp: 2016.05.11) appeared, downloaded by Zloader (known as DEloader at that time). OpenSSL 1.0.1p is statically linked to it, thus its size is roughly 1.2 MB. In subsequent months, that size increased up to 1.6 MB.
In January 2017, with version 1.14.8.0, OpenSSL 1.0.2j was linked to it, increasing the size to 1.8 MB. Soon after also in January 2017, with version v1.15.0.0 the code was obfuscated, blowing up the size of the binary to 2.2 MB.

Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

Zeus Sphinx on the one hand has the following versioning ("slow increase")
- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)
- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)
- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)

Zeus OpenSSL on the other hand has the following versioning ("fast increase")
- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)
- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)
- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)

References
2020-03-30IBMAmir Gandler, Limor Kessem
@online{gandler:20200330:zeus:bef1da7, author = {Amir Gandler and Limor Kessem}, title = {{Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy}}, date = {2020-03-30}, organization = {IBM}, url = {https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/}, language = {English}, urldate = {2020-04-01} } Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy
Zeus OpenSSL Zloader
2016-08-16SecurityIntelligenceLimor Kessem, Denis Laskov, Ziv Eli
@online{kessem:20160816:brazil:0bc05a3, author = {Limor Kessem and Denis Laskov and Ziv Eli}, title = {{Brazil Can’t Catch a Break: After Panda Comes the Sphinx}}, date = {2016-08-16}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/}, language = {English}, urldate = {2020-01-08} } Brazil Can’t Catch a Break: After Panda Comes the Sphinx
Zeus OpenSSL
Yara Rules
[TLP:WHITE] win_zeus_openssl_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_zeus_openssl_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_openssl"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c745f800000000 33f6 c7011c000000 c745d401000000 e9???????? c745d4fdffffff e9???????? }
            // n = 7, score = 1300
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   33f6                 | xor                 esi, esi
            //   c7011c000000         | mov                 dword ptr [ecx], 0x1c
            //   c745d401000000       | mov                 dword ptr [ebp - 0x2c], 1
            //   e9????????           |                     
            //   c745d4fdffffff       | mov                 dword ptr [ebp - 0x2c], 0xfffffffd
            //   e9????????           |                     

        $sequence_1 = { 8bcf e8???????? 8bf8 83ffff 7444 8b0d???????? 8bd7 }
            // n = 7, score = 1300
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   83ffff               | cmp                 edi, -1
            //   7444                 | je                  0x46
            //   8b0d????????         |                     
            //   8bd7                 | mov                 edx, edi

        $sequence_2 = { 8945ec 8945e4 894df0 8b45f0 897dc0 }
            // n = 5, score = 1300
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   897dc0               | mov                 dword ptr [ebp - 0x40], edi

        $sequence_3 = { c1e003 2bf8 8bcf b801000000 }
            // n = 4, score = 1300
            //   c1e003               | shl                 eax, 3
            //   2bf8                 | sub                 edi, eax
            //   8bcf                 | mov                 ecx, edi
            //   b801000000           | mov                 eax, 1

        $sequence_4 = { 0f8484000000 814a1808010000 668b03 66894210 }
            // n = 4, score = 1300
            //   0f8484000000         | je                  0x8a
            //   814a1808010000       | or                  dword ptr [edx + 0x18], 0x108
            //   668b03               | mov                 ax, word ptr [ebx]
            //   66894210             | mov                 word ptr [edx + 0x10], ax

        $sequence_5 = { 8955f4 8b4974 8b55f8 3bd1 0f47d1 894ddc }
            // n = 6, score = 1300
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   8b4974               | mov                 ecx, dword ptr [ecx + 0x74]
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   3bd1                 | cmp                 edx, ecx
            //   0f47d1               | cmova               edx, ecx
            //   894ddc               | mov                 dword ptr [ebp - 0x24], ecx

        $sequence_6 = { 894648 85ff 7456 8b5df4 8b4638 8b4e58 0fb67c1802 }
            // n = 7, score = 1300
            //   894648               | mov                 dword ptr [esi + 0x48], eax
            //   85ff                 | test                edi, edi
            //   7456                 | je                  0x58
            //   8b5df4               | mov                 ebx, dword ptr [ebp - 0xc]
            //   8b4638               | mov                 eax, dword ptr [esi + 0x38]
            //   8b4e58               | mov                 ecx, dword ptr [esi + 0x58]
            //   0fb67c1802           | movzx               edi, byte ptr [eax + ebx + 2]

        $sequence_7 = { 743b 83ef50 7412 83ef75 742a }
            // n = 5, score = 1300
            //   743b                 | je                  0x3d
            //   83ef50               | sub                 edi, 0x50
            //   7412                 | je                  0x14
            //   83ef75               | sub                 edi, 0x75
            //   742a                 | je                  0x2c

        $sequence_8 = { 8b7508 85f6 7506 8d46fe }
            // n = 4, score = 1300
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   85f6                 | test                esi, esi
            //   7506                 | jne                 8
            //   8d46fe               | lea                 eax, [esi - 2]

        $sequence_9 = { 8b55f4 8bc6 2b45c0 3bd0 0f860d010000 8bca 2bc8 }
            // n = 7, score = 1300
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   8bc6                 | mov                 eax, esi
            //   2b45c0               | sub                 eax, dword ptr [ebp - 0x40]
            //   3bd0                 | cmp                 edx, eax
            //   0f860d010000         | jbe                 0x113
            //   8bca                 | mov                 ecx, edx
            //   2bc8                 | sub                 ecx, eax

    condition:
        7 of them and filesize < 4546560
}
Download all Yara Rules