The Zeus Malware and Money Laundering Report

I've come across two incidents within three days, both seemingly isolated but, according to an FBI news release (January 2012), were actually two stages of a single money-laundering operation.

The Case Studies

The first incident recently happened to a friend of mine. At first, it appeared he was billed a small amount by a hosting provider in the United States, and given the small amounts involved, the most likely motive was identity fraud. Most commercial web hosting require someone's bank account or credit card details to obtain, which leaves criminals with a slight problem: If they used their own accounts, the activity would be easily attributable to them. On the other hand, if stolen credit card details were used to pay for the hosting, and it was administrated through a proxy, the criminal would become practically untraceable. So my immediate thought was this is what happened. However, I had the name of the firm involved, and a little online searching revealed the incident was related to something different: a theft and laundering scheme. The money was taken from the victim's account, then relayed through other victims who believed they were conducting 'test transactions' for a legitimate company. But how were the account details stolen? It can happen through good old fashioned social engineering and well-crafted malware. As luck would have it, my spider's web caught the following email a couple of days later:
Date:Fri,9Nov201211:09:06+0300[11/09/1208:09:06GMT] From:noreply@direct.nacha.org<blendedz@taskmortgage.com> To:*******@**********.co.uk Subject:Re:yourDirectDepositpaymentID538680568136 Weregrettonotifyyou,thatyourlatestDirectDepositviaACHtransaction (IN988228175914)wasdisallowed,becauseyourcurrentDirectDepositsoftware versionwasoutofdate.Thedetailsregardingthismatterareavailableinour securesection::

<linkhere> Pleaseconsultwithyourfinancialinstitutiontoacquireyourupdatedversionof thesoftwareneeded. Sincerelyyours ACHNetworkRulesDepartment NACHA|TheElectronicPaymentsAssociation

The email looks genuine, it has an order ID number, and both sender addresses here belong to legitimate companies. But as with most email scams, this one doesn't include the recipient's full name (or other personal details). As we'll see, the email wasn't actually sent by NACHA. So, the link took me to an insecure, non-functioning orders page hosted by some Indian service provider. In this case the link should have pointed to an installer (disguised as a 'Direct Deposit program') planted there by the criminal for a variant of the Zeus malware. If installed on the average PC, the malware would later exfiltrate whatever bank account details to a C&C server. It might also provide some remote access functions for the attacker, or add the victim's computer to a botnet. Unfortunately there was no malware here to download and play around with. In short, the email was crafted to trick the recipient into installing Trojan malware. There are numerous versions of this, involving fake sites, online forms designed to look like the real thing, etc. What else is happening? Let's look at some information hiding in the the email's extended headers:
ContentType:multipart/alternative;boundary="07030900108010508050501" Date:Fri,9Nov201211:09:06+0300[11/09/1208:09:06GMT] From:noreply@direct.nacha.org<blendedz@taskmortgage.com> MIMEVersion:1.0MessageID:<********.*******@afet.or.th> Received: (qmail10237invokedfromnetwork);9Nov201215:08:29+0000fromunknown(HELO afet.or.th)(***.***.***.***)by******.*******.comwithSMTP;9Nov201215:08:29 +0000fromriahfrgtdjggshirf(192.168.1.52)byriahfrgtdjggshirf.tcsn.net (***.***.***.***)withMicrosoftSMTPServerid8.0.***.***;Fri,9Nov2012 11:09:06+0300

The extended headers, particularly the Received field, are very useful in these situations because they identify the server that originally sent the email and how the email was routed. Reading from the bottom up, we can see it was authored by someone with the email address riahfrgtdjggshirf@tcsn.net, using a mail server at <IP address>. Both InfoSniper and whois searches revealed this IP address belonged to someone in The Peoples' Republic of Belarus, and since it was a fixed address, it most likely belonged to another hosting provider.

Summary
As I've mentioned, the FBI news release pointed out a connection between those sending the fake NACHA emails, and the incident in which money was taken from a victim's account as part of the Web Star fraud. Assuming that news release was accurate, the following would have happened: A scam email is sent out by a mail server in The Peoples' Republic of Belarus, socially engineering people into downloading an installer for a variant of the Zeus malware. Once installed on the victim's computer, the malware sends the bank account details to a C&C server run by the attacker. In this case, the attacker bills the victims' accounts, transferring the money to several other victims who relay it to another criminal in the belief they're conducting transactions for a legitimate company as part of a 'work from home' scheme.

References
BOBBEAR. 2009. Web Star Fraud. [WWW]. http://www.bobbear.co.uk/archived_frauds/webstar.html. (10th November 2012). FEDERAL BUREAU OF INVESTIGATION. 2012. Malware Targets Bank Accounts. [WWW]. http://www.fbi.gov/news/stories/2012/january/malware_010612. (10th November 2012). GFI LABS. 2012. GFI Software - Malicious spam alerts. [Online Image]. http://gfisoftware.tumblr.com/post/34700052148/malicious-nacha-direct-deposit-spam. (10th November 2012). WIKIPEDIA. 2012. Zeus (Trojan Horse). [WWW]. http://en.wikipedia.org/wiki/Zeus_%28Trojan_horse %29. (10th November 2012).
XeroCrypt Security and Forensics https://xerocrypt.wordpress.com