Silent Night: Breaking Silence in the Underground Forums

May 26, 2020

According to researchers, the descendant of the notorious banking trojan, Zeus, dubbed Silent Night, is being sold in underground markets. Recently, Malwarebytes and HYAS published a paper on Silent Night, which is distributed via the COVID-19 spam campaigns and RIG exploit kit.

What’s the matter?

  • In 2011, the Zeus banking Trojan source code was leaked. Since then, multiple variants under the Terdot Zbot/Zloader category have been developed and released.
  • Over the last few months, another variant of the trojan, Zeus Sphinx, was seen in COVID-19 financial relief email scams and attacks against banks.
  • Recently, Silent Night Zbot appears to have been developed with version 1.0 timestamped in November 2019. Around the same time, Axe, a Russian exploit forum user, publicized the development of the Zeus variant.
  • In the underground forums, the botnet is sold at a price of $4,000 per month for a custom build.

More about the Silent Night

  • According to Malwarebytes, Silent Night is compatible with all operating systems, and collects information from online forms as well as performs web injections in browsers such as Google Chrome, Mozilla Firefox, and Internet Explorer.
  • Besides, the malware performs keylogging, takes screenshots, steals cookies, and collects passwords from Chrome.
  • While performing web injections, the malware seizes user sessions and directs them to malicious domains, and steals the credentials to access online banking services. The stolen information is sent to the operator’s command-and-control (C2) server.
  • According to the developer, an original form of obfuscation is used with “on demand” decryption. An open directory found in a malware sample outlines the Silent Night control panel setup, including minimum configuration requirements on a Linux machine.
  • As per the researchers, there are C2 similarities between Silent Night and Terdot.

Researchers' opinion

According to the researchers, the design of the banking trojan is consistent and clean. In the near future, the evolution of the Silent Night bot will lead to banking theft at scale.

Read the original article and additional information at Cyware Social