{"id":1087,"date":"2024-08-29T01:53:59","date_gmt":"2024-08-29T01:53:59","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1087"},"modified":"2025-07-28T11:28:54","modified_gmt":"2025-07-28T11:28:54","slug":"cockroaches-and-zeroaccess-trojan-will-be-the-only-things-to-survive-an-apocalypse","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/cockroaches-and-zeroaccess-trojan-will-be-the-only-things-to-survive-an-apocalypse\/","title":{"rendered":"Cockroaches and ZeroAccess Trojan will be the only things to survive an Apocalypse"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Today I\u2019m going to take a look at a member of the Click-Fraud malware family \u2013 ZeroAccess Trojan. Now, because it\u2019s function isn\u2019t as apparent as that of \u2018ransomware\u2019 or \u2018credential stealing\u2019, I\u2019ve included diagrams and additional information on how this scheme works at the end of the post. As a quick definition though, click fraud<\/a> involves the malware highjacking the user\u2019s search engine results, pushing advertisements from a chosen Ad Server. The cyber criminals profit here as they\u2019re generally hired as middlemen\/third parties of an agency with advertisements on that server.<\/p>\n\n\n\n

In previous iterations, the malware was also known to mine bitcoin. This makes a lot of sense \u2013 if you have access to one of the world\u2019s largest botnets, why not send it to work? Its authors, however, released a patch sometime in 2013 which removed the mining functionality from the Trojan, most likely due to its futility in the face of bitcoin\u2019s rapidly increasing hash rate.<\/p>\n\n\n\n

Recently: There\u2019s some interesting history to this strain. Not only is it the first to commercialize the Click Fraud scheme \u2013 and run on the power of one of the world\u2019s largest botnets \u2013  but it also still exists despite a concerted effort in 2013 from Microsoft, Europol and the FBI to erase it from existence.<\/p>\n\n\n\n

According to Shodan\u2019s Malware Hunter tool, ZeroAccess Trojan\u2019s botnet is currently operating on computers across 70 countries, with Venezuela and the United States being the most heavily infected.<\/p>\n\n\n\n

Below are Malware Hunter\u2019s infections stats for ZeroAccess Trojan as of May 29, 2017:<\/p>\n\n\n\n

\n
\n
\"\"\/<\/figure>\n<\/figure>\n<\/div>\n\n\n\n

Propagation: <\/strong>The Trojan\u2019s primary propagation method is \u2018ExploitKit\u2019, which involves the Botnet infecting an Ad Server, thereby spreading the malware throughout the server\u2019s network of web-sites. This propagation method proves to be an extremely efficient channel through which to spread malware.<\/p>\n\n\n\n

Another method of propagation used by the Trojan\u2019s authors is to develop highly-targeted spear phishing emails, attempting to lure victims to click on a malicious link embedded into the email.<\/p>\n\n\n\n

Functionality: <\/strong><\/p>\n\n\n\n

The Trojan\u2019s M.O is to create a backdoor on the infected machine, thus adding it to the botnet, after which point it will be shortly sent to work generating revenue.<\/p>\n\n\n\n

Below, we\u2019ll analyze a recent sample::<\/p>\n\n\n\n

MD5: 41b0aac4362135e3643a6b603b9744d1<\/p>\n\n\n\n

Filename: SourceEnclosure.exe; MultimediaAlaska.exe; Necipemujuga hesopo ji<\/p>\n\n\n\n

To better understand the Trojan\u2019s functionality, we debugged the malicious payload. The first function observed is the creation of a randomly-named text file, executed by the function \u201cCreateFileW\u201d.<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Once the random file has been created, a \u201cLoadLibraryA\u201d function is called upon the stack for using \u201cKernel32.dll\u201d file in the specified memory location. The dll file can be broken down into multiple modules, each used for specific functions in different locations, as highlighted in the image below:<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

The above modules illustrate the stealth of ZeroAccess Trojan once executed on the infected machine. One particular behavior we can observe is the exploitation of the CVE-2015-1701 local privilege vulnerability.<\/p>\n\n\n\n

CVE-2015-1701 is a Windows zero day that was discovered in April 2015<\/a> by FireEye researchers. The exploit executes a callback using the flaw to pull data from the System process before executing code through escalated privileges. After running code through the kernel, stolen system tokens are then modified to mirror System process privileges.<\/p>\n\n\n\n

In this sample, there are two mechanics which exploit this vulnerability \u2013 Exception Handling and the setting of a hardware breakpoint. From the call stack function above, we can see that the hardware breakpoint has been set to \u201ckiUserCallbackDispatcher\u201d.<\/p>\n\n\n\n

Importantly, the API function call loads \u201cUxtheme.dll\u201d via LoadLibraryA to check for the API \u201cIsDebuggerPresent()\u201d. This allows the Trojan to determine whether or not it is being debugged, so that it can modify its behavior if necessary.<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Indicators of Compromise:<\/strong><\/p>\n\n\n\n

Apart from code analysis, there are certain Registry Values which ZeroAccess Trojan also manipulates:<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

The Trojan uses the file path, C:\\Users\\Worker\\AppData\\Local\\MultimediaAlaska\\MultimediaAlaska.exe, to execute the Remote Access Trojan. The IP addresses the Trojan uses as Command and Control Servers to download further instructions are listed below:<\/p>\n\n\n\n

    \n
  • Connection:  103.219.22.63:443<\/li>\n\n\n\n
  • Connection:  50.116.5.69:443<\/li>\n\n\n\n
  • Connection:  81.88.24.211:443<\/li>\n<\/ul>\n\n\n\n

    Further Technical Information and Diagrams<\/strong>:

    As mentioned at the start of this post, the mechanics behind Click-Fraud malware aren\u2019t as easily explained as those of other malware families. Below, you\u2019ll find additional technical information and diagrams on how this Trojan operates, makes money and impacts its victim.

    First, to dispel any confusion, \u2018compromised Ad Servers\u2019 doesn\u2019t mean the servers are acting as a malware repository. It means that through URL redirection techniques, and the injection of malicious JavaScripts and iframe modules, legitimate traffic is being redirected to compromised Ad Servers.

    Below is a diagram of what a normal user interaction with an uncompromised Ad Server looks like:<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n

    While the above image depicts what a normal user interaction would look like, when a user is infected with ZeroAccess, the Command and Control server issues a number of commands, one of which is \u2018Traffic Redirection\u2019.<\/p>\n\n\n\n

    The ZeroAccess Trojan module then controls URL redirection and thus acts as an interface. The below diagram illustrates this process, as well as showing how iframe module injection fits into the functionality:<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n

    Finally, the below diagram shows the \u2018Search Engine Hijacking\u2019 or \u2018Click Fraud\u2019 functionality of ZeroAccess \u2013 the primary process through which the Trojan\u2019s authors generate revenue:<\/p>\n\n\n\n

    \n
    \n
    \n
    \"\"<\/figure>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

    Today I\u2019m going to take a look at a member of the Click-Fraud malware family \u2013 ZeroAccess Trojan. Now, because it\u2019s function isn\u2019t as apparent as that of \u2018ransomware\u2019 or \u2018credential stealing\u2019, I\u2019ve included diagrams and additional information on how this scheme works at the end of the post. As a quick definition though, click fraud involves the malware highjacking the user\u2019s search engine results, pushing advertisements from a chosen Ad Server. The cyber criminals profit here as they\u2019re generally hired as middlemen\/third parties of an agency with advertisements on that server.<\/p>\n","protected":false},"author":1,"featured_media":1098,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-1087","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1087","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1087"}],"version-history":[{"count":8,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1087\/revisions"}],"predecessor-version":[{"id":4085,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1087\/revisions\/4085"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1098"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1087"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1087"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1087"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}