We have already talked about Win32.Murofet infection in a previous blog post, illustrating the pseudo-random domain generation algorithm and the file infection technique that is used to drop its main body on the infected system. As already said, the technique used reminds me very much the behavior of the Conficker worm, which was able to generate thousands of unique domains.
Today we are going to try and draw some links between Murofet.A malware and another well known family of password stealing trojans: the infamous ZeuS trojan.
Actually, there's more than some suspicious links between Murofet and ZeuS. Surprisingly, when analyzing the code, we found that they are very similar.
There are a lot of internal functions that looks the same, share the same code, the same working behavior. Both Murofet.A and ZeuS trojans hook the exact same Win32 APIs inside the system and - if the handler code of these hooks is analyzed and compared - they'll look mostly the same.
This is clearly more than some coincidence. Is this the new version of ZeuS? Is the team behind Murofet the same team behind ZeuS?
We should remember is not the first time that ZeuS tries to infect other executable files by injecting a payload able to download full copy of itself from a fixed url. It used this approach months ago. Now they changed it: the download is not made anymore from a single fixed location; instead a pseudo-random domain generation routine has been implemented.
Actually if we analyze the old ZeuS payload infection injected inside the infected files and we compare it to the new one, here we see a lot of coincidences. We could find the same ROR/ADD API hashing routine, but the most interesting part is the way they both check if the system is already infected: they both import the SHRegGetBoolUSValue API from shlwapi.dll and check inside the HKEY_CURRENT_USER\Software\Microsoft registry key.
The old ZeuS payload checked whether the default value inside the Microsoft subkey is set to 1; the new ZeuS payload checks if there is a new 'Microsoft' value inside the Microsoft subkey and if it is set to 1. If they find it, the system is already infected and they end the payload routine.
Everything looks more clear now. Win32.Murofet couldn't be intended as a new malware, developed by a team that is collaborating with ZeuS team. Murofet looks more like another evolution of ZeuS, it is the continuation of an old project they tried during last months and now improved with many important changes.
So, should we call it Murofet...or ZeuS++?