An Update on the UrlZone Banker
UrlZone is a banking trojan that appeared in 2009. Searching its name or one of its aliases (Bebloh or Shiotob) reveals a good deal of press from that time period along with a few technical analyses in 2009  , 2012 , and 2013 . Despite having a reputation of evolution, there doesn’t seem to be very many recent updates on this malware family though. Is UrlZone still a threat and if so, how has it changed?
To explore that, this post takes a look at a recent UrlZone malware sample to see if it is still an active threat. It then gives an update on the command and control (C2) communications as they have changed since being previously documented. These are then put together in some proof of concept code that downloads and decrypts the webinject configuration file (the bread and butter of any banker malware) to see what financial institutions are being targeted.
The sample analyzed for this post has an MD5 of:
For the “stop using md5 now” converts, it has the following SHA256:
The sample’s compilation date is 2015-06-12 12:01:03. This date seems legit as it is inline with the hardcoded “tver” value of 1434110463 or converted from Unix epoch time: Fri, 12 Jun 2015 12:01:03 GMT. The “tver” value indicates “the build time of the [UrlZone] bot”.
Two recent timestamps suggests recent development, so let’s take a look at its C2 domains.
Command and Control Domains
This version of UrlZone uses a domain name algorithm (DGA). The seed URL from the sample is:
Calculating the first 250 domains generated by the algorithm gets the following potential C2s (see Appendix 1 for text IOCs):
The domain registration date range puts this activity in the realm of “recent”, but all that glitters [registers?] is not gold [malicious?]. As with most public DGAs, a good chunk of the above domains are sinkholes ran by security companies and/or researchers.
As we’ll see shortly, the domain highlighted in red was (at the time of this research) an active and malicious C2.
Based on the “[random word]@domain” registration email addresses, name servers used, and the proximity of the registration dates, the domains highlighted in yellow are most likely also controlled by the same threat actor. These domains were not active during this research however.
The anptlnadkpkhmc3.net C2 domain has had the following IPs:
Per VirusTotal’s passive DNS data, the first resolution they saw was on 05/20/2015.
C2 communications in this version of UrlZone are over TLS and the URL at the time of this research was:
The server is configured with a self-signed certificate that is valid from 06/06/15 to 06/05/16:
For copying and pasting:
Serial Number: 00:D1:61:6D:54:E9:36:48:2C
SHA1 Fingerprint: 84:7B:F4:20:7B:35:02:6C:C8:8E:84:1B:D4:2B:1B:41:F7:23:D3:F8
MD5 Fingerprint: 89:56:B9:51:3B:6E:2F:82:C6:D9:C8:2A:7D:FA:E0:1F
When visiting the C2 URL without using the “secret handshake” (see below) the following error message is displayed:
At this point I’m not sure whether this is an artifact of the UrlZone C2 panel or of this particular server, but it’s something to note.
C2 Communications – Request
C2 communications are via a HTTP POST request wrapped in TLS. As mentioned there is a “secret handshake” and it consists of specific HTTP request headers and specially crafted POST data. The required headers are:
Host: <C2 domain>
Content-Length: <POST data length>
In my testing, any divergence from these headers (order didn’t seem to matter) resulted in the above error message.
The specially crafted POST data depends on the command and the notes below will focus on the command that downloads the webinject configuration file from the C2. The POST data consists of two parts: prepend and query string. Here’s a sample 81-byte prepend:
It breaks down as follows:
- 2 – command
- 35F368C84B596D17F9 – BOTID (can be randomly generated – 18 hexadecimal digits)
- Y010000001 – BOTSHID (see IDA screenshot below)
- 0x00 pad to 34 bytes
- 6.1 – OS version, MajorVersion.MinorVersion
- 0001 – hardcoded zeros and ones
- \xc2\xd8\x81U – Unix timestamp packed as a string
- Explorer 6.1.7601.17514 – file version info (see screenshot below)
- 0x00 pad to 81 bytes
In this run, UrlZone injected itself into explorer.exe, which is why the “file version info” is the way that it is:
The BOTSHID can be extracted from an infected explorer.exe memdump, just follow the strings:
An example 92-byte query string looks like:
It breaks down as follows:
- tver – build time of the bot, Unix timestamp (see IDA screenshot below)
- vcmd – unknown, set to 0
- cc – hardcoded to 0
- hh – hardcoded to 0
- ipcnf – IP address (can be random)
- sckport – SOCKS proxy port, set to 0
- pros – unknown, set to 0
- keret – parsed from GetKeyboadLayoutList
- email – always blank
The tver can be extracted from an infected explorer.exe memdump, again just follow the strings:
tver can also be set to an older date such as “1433290738” and the C2 will return an updated UrlZone sample instead of the webinject configuration file (see below).
Next the two chunks of data are encrypted. First, two 16-byte AES keys are randomly generated: one for encryption and the other for decryption. The keys and the length of the query string are placed in front of the prepend section and this whole chunk is RSA encrypted (PKCS1) using an embedded RSA key. The key is 148 bytes and stored as a PUBLICKEYBLOB:
Here’s the key in PEM format:
-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDV528i6h3NKzPF9j3tv3k3qQdM CNQRV05/yp0hlF1ldaPBnfxjGunTAmrqgCuHu2LGWBSfFS1PMKZeL9aqI86rjofi 90XbD4mYT6/amYktPrECsw/6TllCiaYdM3/bKn4zN9nZH9lAACw390Q28+XnRRwu z+pim6jl1wUdbmJ8dQIDAQAB
-----END PUBLIC KEY-----
In the handful of recent UrlZone samples that have been spot checked, this key hasn’t changed.
Next, the length of the query string and the query string is encrypted using AES-128 in ECB mode using the previously generated AES encryption key. Finally, the two encrypted chunks are concatenated together into the final POST data (where yellow is RSA encrypted and green is AES encrypted):
C2 Communications – Responses
Responses are encrypted with AES-128 in ECB mode using the randomly generated decryption key.
For this post, three responses will be discussed: sleep, update, and webinject config file. The sleep or CMD0 response looks like [brackets are my delimiter]:
[16-byte MD5 hash][4-byte length][CMD0][padding]
This puts the bot to sleep till the next command poll. An update or EXEUPDATE response looks like:
[16-byte MD5 hash][4-byte length][ >CV CMP\r\n>UD 0\r\n*EXEUPDATE file_size\r\n][MZ…]
An updated UrlZone EXE file is placed inline starting at the MZ marker and is “file_size” bytes in size. The final response is the webinject configuration file or INJECTFILE:
[16-byte MD5 hash][4-byte length][>CV 30\r\n>DI\r\nINJECTFILE file_size\r\n][encrypted webinject config file…]
An encrypted webinject configuration file of file_size bytes is placed inline starting after the second \r\n. This time the encryption algorithm used is XXTEA. The 16-byte key is hardcoded and can be extracted from an infected explorer.exe memdump by looking for the XXTEA constant 0x9e3779b9:
After decryption, the configuration file is Zlib compressed starting at offset 10 (or Gzip compressed starting at offset 0).
Pretending to be an UrlZone Bot
Putting everything together with some Python, we provide this proof of concept code hosted at ASERT’s GitHub that emulates an instance of the UrlZone bot:
EXEUPDATE is a fresh UrlZone sample with a compilation date and tver value of 2015-06-12 12:19:28. At the time of this research, it has 7/57 generic detection hits on VirusTotal.
The full INJECTFILE is also available on GitHub. At the time of this research this UrlZone campaign looks to be targeting German banks. This is consistent with past reports of UrlZone targeting.
Sometimes it’s a good idea to poke an older threat with a stick to see what happens. This is especially true once the press has faded, new threats have stolen the attention away, and once the initial batch of threat research has aged.
This post has poked a stick at an older banker malware known as UrlZone and provided some updates on what happened.
Appendix 1 – Potential C2s
- 1uer3u9vttynxg.com (126.96.36.199)
- led3dddga4xgj44.com (188.8.131.52)
- ebfszfmcg325fnr.net (NXDOMAIN)
- pb9r9w5bk5bipws.com (NXDOMAIN)
- anptlnadkpkhmc3.net (184.108.40.206, 220.127.116.11)
- zjz45p43xkw1rxa.net (NXDOMAIN)
- 59njm3tgtwggfu3.com (18.104.22.168)
- lfaf9nqo49k9yz.com (22.214.171.124)
- lvzyjwj1fakh55i.com (126.96.36.199)
- 5bizcsfozjtsony.com (188.8.131.52)
- 14mdbbx3242lm5q.net (184.108.40.206)
- amp45rhstc3b9a3.net (220.127.116.11)
- 1vp412e12nheix.net (18.104.22.168)
- 9eiic393tze3nmx.com (22.214.171.124)
- oxda13oess.com (126.96.36.199)
- dwc5cbjada.net (188.8.131.52)
- xqxcysbkjadwpx.net (184.108.40.206)
- szhtdp1scvhbnu9.net (220.127.116.11)
- ysg9ivv311.com (18.104.22.168)