Silent Night: A New Malware-as-a-Service Banking Trojan Analyzed
Silent Night is a new sophisticated and heavily obfuscated Zloader/Zbot, ZeuS-derived banking trojan.
In March 2020, both FireEye and IBM reported a malicious campaign targeting COVID-19 financial compensation schemes. FireEye called the malware payload ‘SILENTNIGHT’; IBM described it as a ZeuS Sphinx/Terdot variant. Together they are right. Silent Night is a new ZeuS derivative, currently being offered under the malware-as-a-service (MaaS) model.
Malwarebytes (PDF) and HYAS have jointly published a detailed analysis of this new malware. Silent Night version 1.0 was compiled in November 2019. At around the same time, it was offered for sale on the Russian underground forum, forum.exploit[.]in, by a seller known as Axe. Axe claims it as his own banking trojan, and says he has spent more than 5 years developing it. But while it is certainly new, the Malwarebytes/HYAS analysis demonstrates its debt to both the original ZeuS and more recent derivatives such as Terdot.
The price is steep for MaaS: $4,000 per month for a unique build; $2,000 per month for the general build; and $500 just to test it for 14 days. In general, MaaS is used to attract the huge market of less experienced or wannabe hackers with a low-cost, easy-to-use supported malware — while simultaneously providing the developer with a steady income stream. Infostealers are common MaaS offerings.
Priced at $4,000 per month, Axe seems to be targeting a different market — perhaps the smaller number of better-financed organized gangs with a ready-made distribution and laundering infrastructure who still wish to use commodity, but sophisticated, malware. It has already been seen being dropped by the RIG exploit kit, and used in a COVID-19 spam campaign targeting the U.S., Canada and Australia with weaponized Word documents. A more recent campaign uses Excel sheets with embedded macros, while yet another uses an attached VBS script.
One stand-out feature of Silent Night is the extent of its obfuscation. It uses a custom specially developed obfuscator that morphs all code and encrypts strings and all constant values within the code. The output, say the researchers, is a very confusing code without any serious effect on performance. “Decryption of lines occurs on the fly on demand, which will be stored temporarily on the stack,” write the researchers. “Decryption of constant values also occurs on the fly, for each of which has its own unique function of decryption… Thus, with each assembly we get a unique file and any signature will be knocked down in one click.”
The researchers also found a Silent Night user manual, which gave them insight into the different features within the malware. Interestingly, the researchers found a list of available commands embedded in one of the modules. This list includes all the commands described in the user manual, but with a few extras, such as fetching files and getting passwords. The implication is that Axe is continuing to develop and extend the malware’s capabilities.
The attack starts with the Silent Night loader, most commonly delivered as an attachment. If the MaaS Silent Night model becomes more widely used by criminal gangs, we will most likely see additional methods of distribution. When executed, it runs msiexec and injects itself there. The loader then retrieves the Silent Night bot from either the C2 server, or from local storage, and injects it into the same instance of msiexec.
Major functionality in the bot includes a VNC server, a man-in-the-browser local proxy, and stealer functionality. The VNC server gives the attacker remote access and runs in background while the malware is operational.
The man-in-the-browser functionality provides both formgrabbing and webinjects. The malware installs its own fake certificate and runs a local proxy.
The bot can also operate as a classic stealer. One of the threads from the main function is responsible for stealing cookies, saved credentials and files. However, the commands accumulated in this thread can be also executed separately, on demand, by deploying dedicated remote commands.
Silent Night is well-written with an improved modular design over previous ZeuS derivatives (such as Terdot), rather than revolutionary. “Apart from the custom obfuscator,” say the researchers, “there is not much novelty in this product. The Silent Night is not any game changer, but just yet another banking Trojan based on ZeuS.” Having said that, it is worth remembering that the obfuscator effectively creates new code every time it is used. This may be ‘yet another banking Trojan’, but it is not one that will be easily detected by signature detection alone.