Silent Night Zeus financial botnet sold in underground forums

The botnet is being spread through the RIG exploit kit and COVID-19 spam campaigns.

Telstra steps up DNS filtering to fight malware
1:34

Researchers have revealed the existence of a botnet based on the Zeus banking Trojan that is being sold in underground forums.

On Thursday, Malwarebytes and HYAS published a paper (.PDF) documenting Silent Night, a relatively new botnet being distributed via the RIG exploit kit and COVID-19 spam

The source code of the Zeus banking Trojan was leaked in 2011. Multiple variants -- often coming under the Terdot Zbot/Zloader umbrella -- have been developed and released since.

Over the past few months, another variant of Zeus -- known as Zeus Sphinx -- has been making the rounds in campaigns designed to capitalize on the fear of COVID-19. This malware strain has been spotted in scams ranging from emails promising COVID-19 financial relief to attacks against banks. 

See also: Zeus Sphinx malware resurrects to abuse COVID-19 fears

The cybersecurity researchers said that the "Silent Night" Zbot, perhaps named in reference to a weapon mentioned in the 2002 movie xXx, appears to have been developed recently, with version 1.0 timestamped in November 2019. 

At a similar time, a Russian exploit forum user called "Axe" announced the development of the variant, describing the malware as the result of over five years of work. The botnet comes with a stiff price tag of $4,000 per month for a custom build, $2,000 per month for a standard option, and extras are offered for hundreds of dollars on top of these subscriptions.  

The developer has been connected to Axe Bot 1.4.1, which shares PHP prefixes with the latest botnet. 

According to Malwarebytes, Silent Night is able to grab information from online forms and perform web injections in the Google Chrome, Mozilla Firefox, and Internet Explorer browsers -- Edge being the exception -- and the malware is also compatible on all operating systems.

CNET: Personal data used in COVID-19 unemployment claims exposed in data breach

The Silent Night Zeus variant is also able to perform keylogging, grab screenshots at a size of 400x400 based on mouse clicks, steal cookies, and harvest passwords from Chrome. When web injections are performed, this can be used to hijack a user's session and send them to malicious domains or to grab the credentials required to access online banking services. 

Stolen information is then transferred to the operator's command-and-control (C2) server.

The developer claims that an original form of obfuscation is in use, with decryption only performed "on demand." An open directory found in a Silent Night sample described how to set up the malware's control panel, including minimum configuration requirements of at least 2GB RAM on a Linux machine. 

TechRepublic: Cybersecurity and remote work: How workers are handling the shift

The researchers say that there are C2 similarities between Silent Night and Terdot, but Sphinx is likely based on an "unrelated fork of Zeus" due to major differences in coding. 

At the time that Malwarebytes' report was published, researchers from Proofpoint also released information on a ZLoader variant being actively spread across the US, Canada, Germany, Poland, and Australia via invoice and coronavirus-based phishing campaigns.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0