CTI Roundup: Zloader Returns, VexTrio TDS, and Kasseika Ransomware

In this week’s roundup, CTI looks at the modular trojan known as Zloader which reemerged with a new iteration after an almost two-year hiatus. Next, CTI investigates a new entity known as VexTrio that has established partnerships with dozens of threat actors and malware developers as part of a large criminal affiliate program. Finally, CTI wraps up with a look at Kasseika ransomware and its potential ties to BlackMatter.

1. Zloader returns from hiatus

The modular Zloader trojan has reemerged with a new iteration after a hiatus that lasted almost two years.

The new variant includes updated obfuscation techniques, an updated domain generation algorithm (DGA), RSA encryption for network communications, and support for 64-bit versions of Windows.

What is Zloader?

The Zloader trojan stems from the Zeus banking trojan that was discovered in 2007. The malware is notable for evolving from campaign to campaign and has continuously received updates since its emergence.

In April 2022, Microsoft took action against the Zloader malware, working with telecommunication providers to disrupt the malware’s infrastructure. The malware has been on a hiatus ever since.

Anti-analysis

The Zloader variant leverages API import hashing, junk code, a filename check, and string obfuscation for anti-analysis. This variant only imports a few functions from the kernel32 library while the rest of the imports are resolved during runtime via checksums. While this technique was seen in older Zloader versions, the new variant has updated its implementation by adding an XOR constant that changes with each sample.

The new Zloader variant also has an anti-sandbox feature. When the malware is executed with a specific file name it will carry on its routine. If the file name does not match, it will cease execution to evade sandboxes that rename files.

Static configuration encryption

Zloader’s static configuration in this variant is still encrypted in the same way, but with a slightly different structure. In this variant, the botnet ID, campaign name, and C2s are set at fixed offsets and an RSA public key replaces the only RC4 key previously used for encryption.

Researchers have observed 15 new Zloader samples that all have the same RSA public key, which could suggest that there is only one single threat actor currently using the malware.

Domain generation algorithm

If the malware’s primary C2 server is not available, it will revert to a DGA. The DGA algorithm has changed from old variants to the new variant and now no longer has a different seed per botnet.

This code will generate 32 domains each day using the local system time at midnight as a seed. Each of the generated domains is 20 characters long and uses the .com TLD.

Network communications

Zloader has slightly changed its network communications. It still uses HTTP POST requests to communicate with its C2 but now leverages 1,024-bit RSA with RC4 and the Zeus “visual encryption” algorithms.

More specifically the malware leverages the custom Zeus BinStorage format where the first 128 byte are the RSA encrypted key and the remaining bytes are encrypted with the Rc4 key.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Zloader was a popular malware before it was disrupted in 2022. The malware’s reemergence after an operational takedown confirms that takedowns are not always a definitive way to dismantle a cyber threat and can sometimes encourage the threat to come back even more sophisticated in the future.

Zloader’s updated features are on par with many other malware threats out there today, making it something to track and monitor.

2. VexTrio brokers malware for over 60 affiliates

Researchers have uncovered a new entity known as VexTrio which has established partnerships with dozens of threat actors and malware developers as part of a large criminal affiliate program.

Infoblox believes the scale of VexTrio activities — along with the number of connections it has within the cybercrime industry — potentially makes this group the single largest malicious traffic broker.

About VexTrio

VexTrio has been active since at least 2017, and Infoblox has been tracking it for about two years. Because VexTrio is not tied to one specific malware and is a traffic broker, it’s not very surprising that it went undetected for some time.

Infoblox notes that VexTrio is the single most pervasive threat in their customers’ networks, identifying its presence in over half of their customer networks in the past two years.

VexTrio’s core purpose is to broker traffic for cybercriminals, and researchers believe it has partnered with at least 60 affiliates. VexTrio operates a traffic distribution system (TDS) that routes compromised traffic to various forms of malicious content. While many affiliates are leveraging VexTrio, Infoblox concluded that SocGholish and ClearFake pass victims to VexTrio.

Researchers have also observed that VexTrio attack chains can include multiple actors and have witnessed four in a single attack sequence.

The role of TDS servers in VexTrio’s affiliate network

TDS servers play a vital role in VexTrio’s affiliate network, and VexTrio configures and manages them in a way that is critical to its long-term success.

A TDS will analyze a victim’s profile to see if it matches a VexTrio target criteria. If there is a match, the TDS will redirect the victim to illegitimate content. This enables threat actors to filter traffic so that visitors to the malicious content are only those that meet their profile.

A VexTrio attack chain can include multiple TDS servers that collectively control the entire flow of web traffic from start to finish.

VexTrio’s business model

The VexTrio affiliate program operates in a similar fashion to that of legitimate marketing affiliate networks. Each attack typically involves infrastructure owned by multiple entities that will forward traffic from their own resources to VexTrio-controlled TDS servers.

VexTrio will then relay this traffic to malicious sites of other threat actors. Because of its behavioral similarity with benign advertising traffic, Infoblox believes that VexTrio activity may be easily dismissed by accident.

VexTrio’s affiliates

VexTrio is believed to have many participants in its ecosystem. VexTrio uses URL query parameters, and by analyzing URL patterns, researchers were able to determine that certain parameter values together represent a unique affiliate member.

Infoblox provided an overview of two VexTrio affiliates:

• ClearFake: ClearFake is a malicious JavaScript framework that dynamically presents website visitors with harmful content via an HTML iframe. When the victim clicks on a fake browser update button, they will receive a malware infection. Over the past few months, the threat actor behind ClearFake has forwarded victim traffic to a small set of VexTrio TDS domains with consistent parameter values. ClearFake takes advantage of a commercial TDS known as Keitaro and redirects traffic to the VexTrio TDS URL.
• SocGholish: SocGholish is a notorious JavaScript based malware that’s been active since 2017. Its operators have been an affiliate of VexTrio since at least early 2022. The SocGholish threat actor capitalizes on web traffic by redirecting victims to VexTrio TDS servers.

Analyst comments from Tanium’s Cyber Threat Intelligence team

VexTrio is yet another example of how business-like the cybercriminal ecosystem can be. Its unique business model has enabled it to create partnerships with a multitude of threat actors, including those behind some well-known malware.

VexTrio creates the possibility for attack chains to include multiple threat actors, increasing the potential severity of the attack and making attribution more difficult than it already is.

Infoblox’s investigation into VexTrio is especially impressive given how complex and intertwined the entity is. Their analysis is incredibly thorough and worth the read.

3. Kasseika ransomware launches BYOVD attacks

Trend Micro took a deep dive into Kasseika ransomware, finding indicators that suggest the threat actor behind it could have obtained the source code of the notorious BlackMatter ransomware.

Kasseika ransomware is one of the latest operations to join the trend of bring-your-own-vulnerable-driver (BYOVD) attacks.

Infection chain and overlap with BlackMatter

Kasseika begins its attack with a highly targeted phishing email and link. After gathering credentials, it uses remote administration tools to gain privileged access and move laterally.

Like other ransomware operations, Kasseika abuses PsExec to execute its malicious files. Kasseika is now joining many other ransomware operations by seeking to terminate antivirus processes and services to deploy ransomware. In the latest Kasseika attacks, the operation leverages a script to check for the existence of the process named Martini.exe. If this process is found, the ransomware will terminate it, ensuring that only one instance of the process is running on the machine.

Trend Micro saw several indicators that resemble that of the BlackMatter ransomware. Some of these indicators include pseudo-ransom extensions and the use of a specific extension as the ransom note file name/format. A deeper dive revealed that the bulk of the source code in this attack came from BlackMatter.

For some background, BlackMatter is believed to be a rebrand of DarkSide ransomware, which is thought to be what the BlackCat ransomware operation was based on.

KILLAV mechanism and martini.exe

Martini.exe will first verify if the Martini driver was successfully downloaded to the machine. The signed driver, Martini.sys, was originally labeled as viragt64.sys and is part of VirIT Agent System. The threat actor exploited vulnerabilities to use this driver to disable various security tools. If Martini.sys does not exist on the machine, the malware will simply terminate itself.

If Martini.sys is found on the machine, the malware will proceed with its routine by creating and initiating a service. The driver will then be loaded by Martini.exe via the CreateFileW function. Martini.exe will continuously scan active processes in the system and, once a listed process is detected, will send this information to the driver. A full list of at least 991 processes can be seen here.

The ransomware will look for applications related to process monitoring, system monitoring, and various analysis tools. It then discovers running processes related to these applications and will terminate itself if the processes exist. The obtained files are exfiltrated from a network share to a local directory before the ransomware binary, smartscreen_protected.exe, is launched.

Payload analysis

Kasseika ransomware is a 32-bit Windows PE file packed by Themida, which is known to be more difficult to reverse engineer.

Before performing encryption, the ransomware will terminate all processes and services that are accessing Windows Restart Manager. It then starts a new session and begins enumerating session hashes or processes and services from the keys within the same list. Kasseika deletes shadow copies, encrypts target files, and appends an encrypted extension to the files. Its ransom note will be dropped in several directories before the ransomware changes the wallpaper of the system.

Analyst comments from Tanium’s Cyber Threat Intelligence team

What’s most concerning about this group is that Kasseika is supposedly using a decent amount of BlackMatter source code. Blackmatter ransomware has previously been linked to BlackCat, which is a notorious and successful Ransomware-as-a-Service (RaaS) operation.

It is unclear if a former member of one of these ransomware gangs is now a member of Kasseika, or if the operation was just somehow able to access the source code. If the former is true, we could potentially see more from Kasseika in the future.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.