Silent Night Botnet Emerges from Zeus’ Shadow

It can be successfully argued that the most famous banking trojan ever released unto an unsuspecting public was Zeus. The malware itself caused havoc but when the source code found its way into the public domain several other malware variants sprouted up built of the source code. Zeus Sphinx, sometimes also referred to as Terdot, is one of those newer malware variants that can directly trace its lineage to Zeus, which was first seen in the wild in 2007 and was the most prolific malware of its type till 2010 when it was allegedly retired by its developer. Despite being retired the source code still presents a danger as a number of newer malware strains have been built of the source code.

In a recent report published by Malwarebytes and HYAS details the emerges of another banking trojan which can also trace its parenthood to Zeus called Silent Night. Banking trojans are trojans specifically designed to steal banking credentials and other data pertaining to banks and other financial institutions in order to steal funds from banks and their customers. Trojan typically infect machines by masquerading as legitimate applications and processes with many banking trojans making use of web injects targeting specific browsers to steal information entered by the victim on forms and login pages.

The source code for Zeus was leaked in 2011, however, since the COVID-19 pandemic, malware being developed off the code has seen a spike in usage by hackers looking to use the global emergency for their own profit. Hackers have been using the pandemic in socially engineered spam emails so as to better distribute their malware. Silent Night has been seen copying what has become a very popular tactic. Further, the malware is also been distributed via the RIG exploit kit, the kit is designed to take advantage of known vulnerabilities within Internet Explorer to compromise the victim’s machine and then install Silent Night.

silent night botnet zeus

The name of the malware is believed to be a reference to a weapon mentioned in the 2002 movie xXx, with the malware itself being developed recently as it is time-stamped November 2019. The timestamp coincides with an announcement made by an exploit forum user, going by the handle “axe”. In the announcement the malware development was advertised as well as stating that the malware took five years to develop.

The announcement also serves to offer the malware as a service to those interested. The malware, however, does not come cheap at 4,000 USD for a custom build with a subscription fee of 2,000 USD per month. The malware's author further offers a whole range of add on which can be added at the cost of hundreds of dollars. Researchers were able to connect the malware developer to Axe Bot 1.4.1, which shares PHP prefixes with the latest botnet. Further descriptions submitted to the forum describe the malware as being designed to be compatible with Zeus web injects. In further trying to sell the malware to other hackers, the developer states,

“A few years prior: My previous banking Trojan had a lot of issues and was hard to maintain because of the poor architecture and C-code. The best course of action was to rewrite the whole thing, and I have done just that. The development took a few years, and I went through a couple of iterations. Finally, with the experience learned from the first version and all the customers’ feedback, I was successful at making the ideal banking trojan.”

Given the features found in the malware the developer may have come as close as possible to “making the ideal banking trojan”. According to researchers, the malware is capable of grabbing information from online forms and then performing web injections in the Google Chrome, Mozilla Firefox, and Internet Explorer browsers, Edge is the only exception to the targeted browsers. Further, the malware is also compatible with all operating systems. Other features include keylogging, grab screenshots at a size of 400x400 based on mouse clicks, steal cookies, and harvest passwords from Chrome. When performing web injections the malware is capable of either hijacking the session and sending them to malicious domains or to grab the credentials required to access online banking services. Stolen credentials are sent to the attacker's command and control server. What is interesting about the exfiltration of data, encrypting the data first, as is done with many other kinds of malware, is not carried out. Rather the malware will add code obfuscation. Encryption of data can be done but this is yet another add on which will cost the buyer more.

In concluding researchers noted Silent Night similarities between Zeus as well as Terdot. Silent Night has many of the features which make Terdot such a threat including modularity and an overall modernization of the source code. However, it is not a straight copy of those that have come before it as the code indicates a lot of work was put into the malware development. Further researchers stated,

“The design of Silent Night is consistent and clean, the author’s experience shows throughout the code. Yet, apart from the custom obfuscator, there is not much novelty in this product. The Silent Night is not any game changer, but just yet another banking Trojan based on ZeuS. Based on the analysis of the bot’s configurations, we may confidently say that there is more than one customer of the “Silent Night”. However, comparing the frequency of new builds (based on the variations of the config files) and the different level of sophistication between the actors, we can say that some users are more proficient than others. Considering the absence of activity on the exploit.in thread where the bot was originally sold and the success of previous campaigns, we predict with moderate confidence an evolution of the bot from something that anyone with a budget can buy, into a vehicle for one group to conduct banking theft at scale.”

Not the only Relative of Zeus

At the same time that Malwarebytes published their research, Proofpoint published another article detailing the recent activity of another one of Zeus’ “sons”. ZLoader has been seen by researchers in over 100 campaigns since the start of 2020 targeting users in the United States, Canada, Germany, Poland, and Australia. The recent campaign, like Silent Night, has been using the COVID-19 pandemic as a lure. Spam emails are sent to proclaiming to be COVID-19 scam prevention tips, COVID-19 testing, and invoices related to the treatment or prevention of the illness.

ZLoader was first seen in the wild in 2016 and was fairly active till 2018. From 2018 till the start of this year malware similar to ZLoader was seen in the wild, however, these similar malware samples lacked the code obfuscation, string encryption, and a few other advanced features of the original ZLoader. Researchers were understandably hesitant to call the pretenders new versions of ZLoader. Now it appears that the original is back with a new version. After analyzing new samples of ZLoader researchers concluded,

“This post has analyzed the latest Zeus banking malware variant and some of the campaigns we have seen spreading it. It uses typical banking malware functionality such as web injects, password and cookie theft, and access to devices via VNC to steal credentials, personally identifiable information, and ultimately money from targets. The Zeus banking malware and its descendants have been a staple in the cybercrime landscape since 2006. From Zeus to Citadel, Ice IX, Murofet, Gameover, ZLoader, KINS, Flokibot, Chthonic, Panda Banker, and back to ZLoader again.”

For large portions of the population 2020 has been a difficult year, to put it mildly. Not only has a pandemic caused major disruptions and the enforcement of a “new normal” but cybercriminals have looked to profit off the damage caused. In relation to malware variants related to Zeus, Terdot and ZLoader have made reappearances onto the threat landscape as well as a new strain Silent Night. This has all been in the first quarter of 2020 with three separate pieces of malware all related to Zeus targeting banks and their customers in order to steal vast sums of money. Further those listed above have looked to abuse people’s fear pertaining to the virus and their health.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal