The Silent Night Zbot, a new variant of the infamous banking trojan ZeuS that wreaked havoc in mid-2009 may be impressive in its design but it’s “not any game changer,” according to a deep-dive report from Malwarebytes and HYAS.
Calling Silent Night “yet another banking Trojan based on ZeuS,” the 186-page report praised the malware’s design for being consistent and clean. “The author’s experience shows throughout the code,” researchers said. “Yet, apart from the custom obfuscator, there is not much novelty in this product.”
Researchers compared the functionality of the malware and its Command-and-Control (C2) panel with other Zbots that have been popular in recent years, including the Terdot fork, among ZeuS’s many iterations that emerged since first being discovered in July 2007.
While the bot’s design uses the ZeuS code as a template, much work had been done on its modification and modernization. Conceptually, it is very close to Terdot, “yet rewritten with an improved, modular design,” according to the report.
Silent Night’s initial sample is a downloader, fetching the core malicious module and injecting it into various running processes.
Chatter about Silent Night, named after a Soviet-made binary chemical weapon, first was seen on Nov. 9, 2019 on forum.exploit[.], an underground Russian forum.
Regarding distribution, the Zloader was observed on Dec. 23, 2029 being dropped by the RIG Exploit Kit (source). “At the beginning, since it was soon after the first release of this malware, the campaigns were small, and appear to be for testing purposes,” the report said. “The spreading intensified over time, and the distribution switched to mostly phishing emails.”
The malware’s developer, known as Axe, said he worked on the project for more than five years (more than 15,000 hours).
Expensive to buy, Silent Night costs $4,000 per month for unique build, $2,000 USD monthly for general build, $1,000 extra per month for HVNC functionality, and $500 to test for 14 days.
“Based on the analysis of the bot’s configurations, we may confidently say that there is more than one customer of the ‘Silent Night,’” the report said.
Silent Night offers Web Injections and Form Grabber Support for web browsers Google Chrome, Firefox, and Internet Explorer (all which can get cookie-grabber support), while its HiddenVNC works on all OSs with the latest browser versions except Edge. Cookies are also available for download in NETSCAPE, JSON and PLAIN formats. A SOCKS5 session starts in one click on the bot page in the admin panel.
The malware’s server-side utility for the backconnect works only under Windows. Its keylogger reports can be searched by process name, window title and content. Screenshots can be searched by process name and window title.
An obfuscator written for the bot morphs all code and encrypts strings plus all constant values in the code.