Malware Uses Multiple Distribution Points

Monday, September 15, 2014 @ 07:09 PM gHale

Zemot dropper is a version of the Upatre malware downloader that benefits from multi-distribution points including compromised websites as well as the Asprox/Kuluoz spam botnet.

Microsoft noticed activity from TrojanDownloader:Win32/Upatre.B back in late 2013 and determined bad guys liked using it for the distribution of a two pieces of click-fraud malware (PWS:Win32/Zbot.gen!AP and PWS:Win32/Zbot.CF).

Attackers Launch Malvertising Program
Tool to Spy on Bad Guys
Malware Team Uses RAT
Faux Security Program is a RAT

In May 2014, the company decided to rename Upatre.B to Zemot in order to differentiate between the two threats that are similar in nature but with certain differences that set them apart, enough to label them as a new malware family.

Zemot is part of a network with a complex structure that involves various types of malware. Researchers said the dropper gets to the victim’s computer through exploit kits Magnitude and Nuclear Pack, or it can end up distributed via Kuluoz spam-sending botnet.

Once Zemot is on the system, it starts funneling in click-fraud malware. However, Microsoft said other types of threats have also been distributed (Rovnix, Viknok and Tesch), which can download new malware or steal sensitive information.

It is a complex infection chain that can rely on several droppers until the payload for the info-stealing malware reaches the infected computer.

In its analysis, Microsoft researchers said Zemot appeals to several techniques to ensure the downloaded module will be successful on all Windows platforms.

It also stores all downloaded files under unique file names that not only contribute to evading detection but to the increasing the number of infections of the same machine, too.

Furthermore, Microsoft said “modules such as getting the OS version, user privilege, URL parsing and the downloading routine are taken from the Zbot source code.”

Another difference in the Zemot family is that multiple variants can end up distributed with other malware, since one dropper can spread multiple malicious payloads.

In a blog post published September 9, Microsoft said the routines for removing Zemot family tool from an affected system have already integrated into the Malicious Software Removal Tool.

One Response to “Malware Uses Multiple Distribution Points”

Leave a Reply

You must be logged in to post a comment.