No More Rootkit in ZeroAccess?
The ZeroAccess crimeware package has beed made rather much of, in view of its advanced kernel-mode rootkit driver. The Sirefef rootkit is highly aggressive and rather hard to detect; it exhibits polymorphism, overwrites legitimate system driver files to replace them with its own and in some versions it even tries to shut down AV software .
However, recent versions seem to have left out this particular “feature”.E-threat researcher Biro Balazs explains:
‘The infection mechanism is the same as that of older versions (the initial dropper comes as a flash player installer from porn sites), but it lacks the usual components, particularly the x86 rootkit component(rtk32).
In both of the cases the dropper has an embedded Microsoft Cabinet File which contains the components:
But, as we can see, the new dropper contains only:fp.exe (the clean flash player installer) plus n32 ( p2p.32.dll) and n64 (p2p.64.dll), whereas the x86 rootkit component (rtk32) is missing. (Note: Only the important files have been highlighted):
Instead, it has two dlls(p2p.32.dll and p2p.64.dll). which are responsible for downloading further plugins. In our tests the 32 bit dll hasn’t downloaded any rootkit component, this could mean that this part of the infection mechanism has been left out of the game.
But why would the authors leave out the rootkit? One possible cause is the aggressive nature of the rootkit. By overwriting a legitimate driver, it risks rendering the system non-bootable (it might get deleted by an anti-malware solution).
In this case the VX-ers would lose control over the system, which obviously isn’t their goal.
For surviving the reboot, the package employs a technique also used by the first Sirefef/ZeroAccess variant (with the strange path “\\??\globalroot\Device\__max++>\”), namely CLSID hijacking – replacing the InprocServer32 entry from a well known ClassId from HKLM\Software\Classes\CLSID.
Ironically, the new, rootkit-less versions are easier to detect, so if we’d live in a perfct world where everyone runs antivirus software, ZeroAccess would be on its way out.’
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
July 21, 2021
How We Tracked a Threat Group Running an Active Cryptojacking Campaign
July 14, 2021
A Note from the Bitdefender Labs Team on Ransomware and Decryptors
May 26, 2021
New Nebulae Backdoor Linked with the NAIKON Group
April 28, 2021
Good riddance, GandCrab! We’re still fixing the mess you left behind.
June 17, 2019