www.fortinet.com
Open in
urlscan Pro
2a05:d014:f3c:6c01:8589:ad97:29df:f3e
Public Scan
URL:
https://www.fortinet.com/blog/threat-research/zeus-stealer-distributed-via-crafted-minecraft-source-pack
Submission: On May 13 via api from DE — Scanned from DE
Submission: On May 13 via api from DE — Scanned from DE
Form analysis 1 forms found in the DOM
GET /blog/search
<form class="b3-searchbox__form" action="/blog/search" method="get">
<input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs">
<button class="b3-searchbox__icon" aria-label="Search" type="submit">
<svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
<path
d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"
fill="#fff">
</path>
</svg>
</button>
</form>Text Content
Blog
* Categories
* Business & Technology
* FortiGuard Labs Threat Research
* Industry Trends
* Partners
* Customer Stories
* PSIRT Blogs
* Business & Technology
* FortiGuard Labs Threat Research
* Industry Trends
* Partners
* Customer Stories
* PSIRT Blogs
* CISO Collective
* Subscribe
FortiGuard Labs Threat Research
ZEUS STEALER DISTRIBUTED VIA CRAFTED MINECRAFT SOURCE PACK
By Pei Han Liao | May 07, 2024
* Article Contents
* Infection Vector
* Anti-analysis
* Information Stealing
PCINFOBROWSERSSTEALLDBSESSION
* Features in Dropped Files
Kill Task ManagerSend ScreenshotScreen LockChat BoxC2 Communication
* Conclusion
* Fortinet Protections
* IOCs
C2 ServerDiscord WebhooksFiles
By Pei Han Liao | May 07, 2024
Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The stolen information can be used for future attack
Severity Level: High
Many game makers allow users to alter a game's appearance or behavior to
increase its enjoyment and replay value. Players can often also download
packages created by others. However, this is also a chance for attackers to
distribute their malware. This article examines a batch stealer distributed via
a crafted Minecraft source pack.
The zEus stealer malware has been added to a source pack that was being shared
on YouTube. The name—zEus—is from a previous variant of this malware. The
variant (d9d394cc2a743c0147f7c536cbb11d6ea070f2618a12e7cc0b15816307808b8a) is
also distributed via a Minecraft source pack, but it’s embedded in a WinRAR
self-extract file. The self-extract file mimics a Windows screensaver file. It
runs the stealer and opens the image used as a file icon. It’s an image from the
Internet with the string “zEus” added. This name is also found in a profile of
the Discord webhook receiving stolen data.
Figure 1: The string on the icon of the inserted file
Figure 2: The author’s name of the webhook is zEus
INFECTION VECTOR
When a victim executes the zEus stealer, it checks whether it is being analyzed.
If not, it collects sensitive information and drops script files to make the
attack more flexible. The zEus stealer creates folders in C:\ProgramData to save
stolen data and malicious script files.
Figure 3: Attack flow
Figure 4: Aetherium.bat was added to an existing pack
ANTI-ANALYSIS
zEus checks whether it is being analyzed by comparing the computer name and
currently running processes with blacklists.
Computer name blacklist:
WDAGUtilityAccount, Abby, Peter, Wilson, hmarc, patex, JOHN-PC, RDhJ0CNFevzX,
kEecfMwgj, Frank, 8Nl0ColNQ5bq, Lisa, John, george, PxmdUOpVyx, 8VizSM,
w0fjuOVmCcP5A, lmVwjj9b, PqONjHVwexsS, 3u2v9m8, Julia, HEUeRzl, BEE7370C-8C0C-4,
DESKTOP-NAKFFMT, WIN-5E07COS9ALR, B30F0242-1C6A-4, DESKTOP-VRSQLAG, Q9IATRKPRH,
XC64ZB, DESKTOP-D019GDM, DESKTOP-WI8CLET, SERVER1, LISA-PC, JOHN-PC,
DESKTOP-B0T93D6, DESKTOP-1PYKP29, DESKTOP-1Y2433R, WILEYPC, WORK,
6C4E733F-C2D9-4, RALPHS-PC, DESKTOP-WG3MYJS, DESKTOP-7XC6GEZ, DESKTOP-5OV9S0O,
QarZhrdBpj, ORELEEPC, ARCHIBALDPC, JULIA-PC, d1bnJkfVlH, QDAVNJRH
Program blacklist:
httpdebuggerui, wireshark, fiddler, vboxservice, df5serv, processhacker,
vboxtray, vmtoolsd, vmwaretray, ida64, ollydbg, pestudio, vmwareuser,
vgauthservice, vmacthlp, x96dbg, vmsrvc, x32dbg, vmusrvc, prl_cc, prl_tools,
xenservice, qemu-ga, joeboxcontrol, ksdumperclient, ksdumper, joeboxserver
INFORMATION STEALING
The zEus stealer grabs a wide range of information. It creates individual text
files for each piece of information and saves them to corresponding folders. The
folders for stolen information are in C: \ProgramData\STEALER, including the
PCINFO, IPINFO, HARDWARE, BROWSERS, STEAL, LDB, and SESSION folders.
PCINFO
This folder contains two folders: IPINFO and HARDWARE. zEus looks up the
victim’s IP address and related details using the online tools My External IP,
ipapi, and ip-api. The results are saved as text files in the IPINFO folder.
Using the IP address, zEus queries for further information from the tools,
including the internet service provider, location details such as city,
longitude, and latitude, and postal code. In addition, it collects the status of
whether the victim is using a proxy server and if a mobile network is being
used.
Figure 5: The data from online tools is saved to the IPINFO folder
Next, zEus uses command-line utilities and PowerShell to collect hardware
information and saves the results in the HARDWARE folder, including currently
running processes, OS version, product key, hardware ID, system configuration,
installed programs, and WIFI password.
BROWSERS
zEus copies files for login data and user preferences from the browsers’ profile
path and stores them in corresponding folders. Below are the target browsers:
Chrome, Opera, Brave, Vivaldi, Edge, Firefox
From these browsers, it grabs files for login data and an encryption key for a
password (if necessary). It then steals cookies, history, shortcuts, and
bookmarks.
STEAL
This folder contains login data copied from the following software:
Steam, osu!, Roblox, Growtopia, Discord
The files are mostly copied from the software’s data path. In addition, zEus
also searches for discord_backup_codes.txt in the Downloads folder.
Discord_backup_codes.txt contains backup code that helps users log in when they
lose their devices for multi-factor authentication (MFA). As a result, the zEus
stealer tries to get the backup code from a default location for downloaded
files.
LDB
The LDB folder only stores .ldb files copied from %appdata%\discord\Local
Storage\leveldb. From these .ldb files, the attacker can extract Discord tokens
containing account and password information and then log into the victim’s
account.
SESSION
zEus also copies various data from the following path to the SESSION folder. Not
only do these files contain credentials, but the attacker also collects
information about the victim. For example, it copies the Logs folders from the
parent folder of EpicGamesLauncher, which contains debug logs about
EpicGamesLauncher. Additionally, it copies the parent folders of game companies
like Battle.net and Electronic Art. With this knowledge, the attacker can know
which games are popular with the victim and how to disguise the malware to
achieve the next attack.
Software
Path
Battle.net
%appdata%\Battle.net
Exclude strings: BrowserCache, Cache
Electronic Arts
%localappdata%\Electronic Arts
Epic Games
%localappdata%\EpicGamesLauncher\Saved\Config
%localappdata%\EpicGamesLauncher\Saved\Data
%localappdata%\EpicGamesLauncher\Saved\Logs
Telegram
%appdata%\Telegram Desktop\tdata
Exclude strings: config, dumps, tdummy, emoji, user_data, webview, *.json
Minecraft
%userprofile%\.lunarclient\settings\game\*.json
%appdata%\.minecraft\*.json
Proton VPN
%localappdata%\protonvpn
Ubisoft
%localappdata%\Ubisoft Game Launcher
zEus stealer also drops KEYWORDSEARCHER.bat and Keyword.txt to the STEALER
folder. The batch file helps users search for keywords they want in a folder,
and the text file is its README. After data collection, the STEALER folder is
compressed into a zip file—STEALER.zip—and deleted. KEYWORDSEARCHER.bat and
Keyword.txt are not used by the zEus stealer.
Finally, zEus organizes the attack result and sends it with STEALER.zip
attached. The result shows whether it has successfully stolen the items that
should be in the STEALER folder, along with the following information:
Execution date, user name, computer name, processor, anti-virus software,
clipboard content, installed XBOX games, cryptocurrencies, sensitive files
zEus stealer also checks whether the victim uses any of the following
cryptocurrencies:
Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, AtomicWallet, Guarda, Coinomi
It also searches the Downloads folder for files whose names contain one of the
following keywords:
2fa, mdp, motdepasse, mot_de_passe, login, seed, key, data, db, password,
secret, account, acount, paypal, banque, metamask, wallet, code, exodus, memo,
compte, token, backup, recovery
These keywords are related to login mechanisms, such as 2FA (two-factor
authentication), seed, and key. There are also some French keywords meaning
password, bank, and account.
Figure 6: A part of the attack result
FEATURES IN DROPPED FILES
Apart from information stealing, there are features performed by the script
files that are dropped to C:\ProgramData\{ComputerName}:
Feature
FileName
Kill Task Manager
debugerkiller.bat
Send Screenshot
Screen.bat
Screen Lock
SYSTEMLOCK.bat, configSYSLOCK.vbs, bsod.hta
Chat Box
CHATBOX.bat
C2 Communication
RAT.bat, COMMANDS.txt, HISTORY.txt
Among these files, debugerkiller.bat, Screen.bat, and RAT.bat are executed
immediately, and their paths are registered under
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to achieve
persistence. To avoid suspicion, the names of Windows system files and folders
are used as the value name.
Figure 7: Key values for auto-run
KILL TASK MANAGER
zEus stealer drops debugerkiller.bat and obscures its execution to keep
terminating Task Manager. This is set to auto-run to ensure the screen lock
mechanism works.
Figure 8: Code in debugkiller.bat
SEND SCREENSHOT
zEus drops Screen.bat to keep sending a screenshot to the webhook every five
seconds. This is executed automatically at startup to keep monitoring the
victim’s computer.
SCREEN LOCK
SYSTEMLOCK.bat and configSYSLOCK.vbs are dropped to perform this task.
configSYSLOCK.vbs is the launcher for SYSTEMLOCK.bat. The attacker can execute
configSYSLOCK.vbs via C2 communication. SYSTEMLOCK.bat pops up a message box
telling the victim not to restart the computer and closes explorer.exe to stop
the victim from interacting with most Windows items. The SYSTEMLOCK.bat then
keeps executing bsod.hta, which it dropped to the ProgramData folder. This HTA
file just shows a full-screen blank window. However, debugkiller.bat prevents
the victim from opening Task Manager, so most well-known methods to stop a
program are blocked.
CHAT BOX
CHATBOX.bat is dropped to allow the victim to send at most five sentences to the
attacker. This can be executed via C2 communication.
Figure 9: The chat box for the victim
C2 COMMUNICATION
zEus stealer drops RAT.bat to build C2 communication. RAT.bat downloads
command-line instructions from onlinecontroler[.]000webhostapp[.]com to
COMMANDS.txt. If the instruction is not duplicated, it will be executed, and the
result will be written to HISTORY.txt later. The executed instruction is sent to
the attack’s webhook to show the current situation. In addition, special
messages for screen lock and chat box help the attacker with troubleshooting.
RAT.bat is set to auto-run to continuously control the computer.
Figure 10: The message for screen lock
CONCLUSION
zEus stealer has a relatively simple attack flow, but it collects a wide variety
of information that provides data for the next attack and contributes to social
engineering. This is a reminder about the dangers of downloading and using files
from an unknown source. Even a source pack, usually loaded by the software, can
be a carrier for malware.
In addition to only downloading files from reputable sources and checking
reviews of a file and author, FortiGuard Labs recommends enabling MFA as an
additional protection layer. MFA prevents unauthorized account access if a
password has been compromised and can also alert users to unusual account
activities. We also recommend subscribing to a service like FortiRecon that
automatically scans the web for leaked data.
FORTINET PROTECTIONS
The malware described in this report is detected and blocked by FortiGuard
Antivirus as:
BAT/Agent.DI!tr
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus
service. The FortiGuard AntiVirus engine is part of each of these solutions. As
a result, customers who have these products with up-to-date protections are
protected.
FortiGuard IP Reputation and Anti-Botnet Security services proactively block
these attacks by aggregating malicious source IP data from the Fortinet
distributed network of threat sensors, CERTs, MITRE, cooperative competitors,
and other global sources that collaborate to provide up-to-date threat
intelligence about hostile sources.
FortiRecon is a SaaS-based Digital Risk Prevention service backed by FortiGuard
Labs cybersecurity experts. It scans the dark web to provide timely threat
intelligence on threat actor activity, including leaked data, so organizations
can respond rapidly to and shut down active threats. It can also detect evidence
of attacks in progress and provide critical information about threat actor
motivations and TTPs.
If you believe this or any other cybersecurity threat has impacted your
organization, please contact our Global FortiGuard Incident Response Team.
IOCS
C2 SERVER
onlinecontroler[.]000webhostapp[.]com/
panel-controller[.]000webhostapp[.]com/
DISCORD WEBHOOKS
hxxps[:]//discord[.]com/api/webhooks/1212818346157015070/2v0xe2vrxFGv65
MRE9qvICmsJw-5e_pq_28xscGybiY1ScEyEiSKMC_zFffr3KkuAimX
hxxps[:]//discord[.]com/api/webhooks/1212821302671581224/L30ylYucowXO_
rm7sUpdwA8DLbYet6NyvUsNV60EP1o1HnF-2M-UPsvatVGQY0ctO9Vk
hxxps[:]//discord[.]com/api/webhooks/1212818346157015070/2v0xe2vrxFGv65
MRE9qvICmsJw-5e_pq_28xscGybiY1ScEyEiSKMC_zFffr3KkuAimX
hxxps[:]//discord[.]com/api/webhooks/1212821302671581224/L30ylYucowXO_
rm7sUpdwA8DLbYet6NyvUsNV60EP1o1HnF-2M-UPsvatVGQY0ctO9Vk
hxxps[:]//discord[.]com/api/webhooks/1212818346157015070/2v0xe2vrxFGv65
MRE9qvICmsJw-5e_pq_28xscGybiY1ScEyEiSKMC_zFffr3KkuAimX
hxxps[:]//discord[.]com/api/webhooks/1216834085205311708/2Rx-yUIHeCnuhu
Lskpz25Ghf-YWeP6Si6oiUSN4SMQYNkeJfVJiYNC4Xy_Oj0ZNQ1qTC
hxxps[:]//discord[.]com/api/webhooks/1117543783714787458/U_DdPjJm7rM7Q
2asPiMISLTrbd3oGw3oVQ25_XU37HCmM6QIQ804SJAH4_h0AT2Vr_cv
hxxps[:]//discord[.]com/api/webhooks/1191890861622050848/iJVVE3x3xilf4Te
ZNiERydXZPF5TRE1UhM4Ew06uHn95b0k0KDViw3YnhdynrXn17OKa
hxxps[:]//discord[.]com/api/webhooks/1215746939635892344/CmKTGdIvizEpR
4FgvvLJm3Bcbjg3AKlNGlwd2S-yIO-GRBXZZbn0OwG39kKnx7mDur4T
hxxps[:]//discord[.]com/api/webhooks/1223978005127364659/3E0hHtDqDOHQ
JBaG8ifspilk2mY8E1s4KeQY36inBq-tq5q6aZex8U0YJVxVlloFJj5X
hxxps[:]//discord[.]com/api/webhooks/1224075124005929020/kA4IFZrIXBl_d1Y
4I0sMHhF1cZzXvC-yEo5HzSk6Jzq_I0k1PCc1idn4FmqSC2UMljdD
FILES
aabfbef31ab073d99c01ecae697f66bbf6f14aa5d9c295c7a6a548879381fb24
c9687714cf799e5ce9083c9afa3e622c978136d339fc9c15e272b0df9cd7e21c
d9d394cc2a743c0147f7c536cbb11d6ea070f2618a12e7cc0b15816307808b8a
c2c8a7050b28d86143f4d606a6d245b53c588bc547a639094fce857962246da4
be9ea302bcfb52fbfdf006b2df8357388cd4c078059aabc5b5928676c3361e50
9d3409852348caa65d28e674008dd6bb986eed4fb507957c7a8b73a41e00be70
b6e8b612e99c54dd98af1756f7c9b8a8c19e31ed9b2836878c2a5144563ff1b2
8a2f6d5f6cf7d1a7534454e3c3007337b71d7da470e86f7636eb02d68b2db8cc
df6156fdbbcc7b6f8c9cb4c5c1b0018fc3f1e1ca7d949b5538ec27dc86d026a4
5840f3e43a0c635be94b5fbf2e300d727545371b582361a52682b4a9e08bcebd
51ede75315d858209f9aa60d791c097c18d38f44b9d050b555ff1f4de0ae672d
d1865d2aaf11e3f8bccefe9c4847510234f14aaa5378ce9e8e97553537cf2ca1
9ba19d614af029c3c198b576ccdf1de87d80ac14b12103e8a15376229a2a7860
6063c8285e13d10eabbe363e2ab0d8748bcd595b470698e0cffee31ba255a566
d1a18b436f947611914ced09e4465b49807cec4f3a62b0973c9017b6d82c9f70
1cdd580176eeb4342a0333b50454da061e473358274e6e543df1411186c12042
ed59a797521db06abdf4c88dad7b1666e5978aaa6670a5952a55b7e11f7b790e
2ceae724f0e96e2d8c47296dd1e73ac592e22ee3288eabf11c8d039c6d6d4f8b
03983b56d8b1a6cc43109f6cd67a13666367595a2ea07766127cb1fe4d4bb1a5
9940da9d02d29489c3e26d27feb15b6f4bbf49547b962592125441917c952f12
fbf967295dac00f1e9cb67e9a40b6729b003dd12cf022eb15d626df09716442d
4e0a96ab28570936d095ac3910dcd239c7ceeb2b38a070468404584f8b902dd1
20009fd157a898ad6d50fae6b8127056c5b1f50e31f90f01d2e6c13e6b4c38f8
Tags:
info stealer malware
RELATED POSTS
FortiGuard Labs Threat Research
ZEGOST FROM WITHIN – NEW CAMPAIGN TARGETING INTERNAL INTERESTS
FortiGuard Labs Threat Research
MRANON STEALER SPREADS VIA EMAIL WITH FAKE HOTEL BOOKING PDF
*
*
*
*
*
*
NEWS & ARTICLES
* News Releases
* News Articles
SECURITY RESEARCH
* Threat Research
* FortiGuard Labs
* Threat Map
* Ransomware Prevention
CONNECT WITH US
* Fortinet Community
* Partner Portal
* Investor Relations
* Product Certifications
COMPANY
* About Us
* Exec Mgmt
* Careers
* Training
* Events
* Industry Awards
* Social Responsibility
* CyberGlossary
* Sitemap
* Blog Sitemap
CONTACT US
* (866) 868-3678
Copyright © 2024 Fortinet, Inc. All Rights Reserved
Terms of Services Privacy Policy | Cookie Settings
COOKIE PREFERENCE CENTER
* YOUR PRIVACY
* STRICTLY NECESSARY COOKIES
* PERFORMANCE COOKIES
* FUNCTIONAL COOKIES
* ADVERTISING COOKIES
YOUR PRIVACY
A website may store or retrieve certain information about your browser by using
cookies. Cookies store information about how a visitor interacts with a website.
The information may be about you, your preferences, your browser, or may be used
just to make the website function. We allow certain advertising and analytics
partners to collect information from our site through cookies and similar
technologies to deliver ads which are more relevant to you, and assist us with
advertising-related analytics (e.g., measuring ad performance, optimizing our ad
campaigns). This may be considered "selling" or "sharing” / disclosure for
targeted online advertising under certain laws. To opt out of these activities,
move the toggles for "Performance" and "Advertising" to the left and press
"Confirm My Choices." You can also click on the different category headings if
you would like to read more about the cookies that we use, and adjust your
preferences. Please note that your choice will apply only to your current
browser/device. You can choose not to allow some types of cookies; however,
please note that blocking some categories of cookies may impact your experience
of the site. You can visit our Privacy Policy for more information. privacy
policy
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the basic functionality of the website. The
website would not work without these cookies, so they cannot be switched off in
our systems. You can set your browser to block or alert you about these cookies,
but some parts of the site will not work.
PERFORMANCE COOKIES
Performance Cookies
These cookies help us collect certain data, such as count visits and traffic
sources, so that we can measure the performance of our site, improve the
content, and build better features that enhance your experience. They help us to
know which pages are the most and least popular and see how visitors move around
the site. They also allow us to measure the effectiveness of our ads on other
sites.
FUNCTIONAL COOKIES
Functional Cookies
These cookies allow our website to remember your preferences and choices made on
the website, such as region and language, which help us provide enhanced
functionality and personalization. These cookies may be set by us or by third
party providers whose services we have added to our pages. If you disable these
cookies, then some or all of these features may not function properly.
ADVERTISING COOKIES
Advertising Cookies
These cookies may be set through our website by our advertising partners, and
use information uniquely identifying your browser and internet device to build a
profile of your interests and show you relevant ads on other websites. If you
disable these cookies, you will experience less targeted advertising.
BACK BUTTON BACK
Vendor Search
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All
COOKIE SETTINGS
By clicking "Accept All", you are consenting to the use of cookies on your
device to enhance site functionality, analyze site usage, and assist in our
marketing efforts. This includes the use of cookies and similar technologies to
show you personalized advertising on other websites through our partners. To
accept only necessary cookies, select “Reject All.” You can visit the Cookie
Settings link, which contains details on specific cookies, categories, and
preference options. Your choice will apply only to your current browser/device.
Please also see our Privacy Policy for more information on how we process
personal data.privacy policy
Reject All Accept All
Cookie Settings