Attackers are distributing a variant of the zEus stealer malware disguised as a Minecraft source pack, d9d394cc2a743c0147f7c536cbb11d6ea070f2618a12e7cc0b15816307808b8a, which is embedded in a WinRAR self-extract file designed to mimic a Windows screensaver.
The file executes the stealer and displays an image with “zEus” added, a string also found in the profile of a Discord webhook used to receive stolen data.
The zEus stealer employs anti-analysis techniques to evade detection and checks for specific computer names and processes associated with analysis tools in blacklists. If the computer name or a running process matches an entry on the blacklist, zEus will refrain from malicious activity.
To collect sensitive information undetected, zEus creates folders in a system directory (C:\ProgramData) to store stolen data and additional malicious scripts that enhance its functionality.
The zEus stealer is a malicious program designed to steal a wide variety of user information, and targets browsers like Chrome and Firefox, collecting login data, cookies, and browsing history. Additionally, it searches for login credentials from gaming and chat applications like Steam, Discord, and Roblox.
System information is also harvested, including hardware IDs, running processes, and WiFi passwords. By leveraging online tools and system utilities, zEus gathers the victim’s IP address, location details, and internet service provider, which are then saved in a categorized folder structure on the infected machine.
It targets specific folders containing game launcher data (Battle.net, Electronic Arts, and Epic Games) and messaging apps (Telegram) to steal credentials and victim information. It also searches Downloads folders for files likely containing passwords or cryptocurrencies (Zcash, Ethereum, etc.).
According to Fortinet, stolen data is compressed and sent along with a report containing system information (username, processor, antivirus) and software details (installed Xbox games).
It utilizes dropped script files in the C:\ProgramData folder to establish persistence and evade detection, which include debugerkiller.bat to terminate Task Manager, Screen.bat to capture screenshots, and RAT.bat for C2 communication.
Debugerkiller.bat and Screen.bat are automatically executed on system startup by registering their paths in the Windows Registry under a disguised value name that hinders user intervention and protects the screen lock mechanism, potentially employed by SYSTEMLOCK.bat, configSYSLOCK.vbs, or bsod.hta, from being disabled.
zEus stealer is malware that steals screenshots and monitors the victim’s computer activity, which can be achieved by dropping various scripts, as Screen.bat captures screenshots every five seconds and sends them to the attacker.
SYSTEMLOCK.bat disables user interaction and displays a fake system message. RAT.bat maintains communication with the attacker’s server, downloads commands, executes them, and reports the results back.
It can also lock the screen and allow limited chat interaction with the attacker, as these scripts are set to run automatically at startup, ensuring persistent control over the victim’s machine.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
