Threat Research

zEus Stealer Distributed via Crafted Minecraft Source Pack | FortiGuard Labs

Fortinet

Fortinet FortiGuard Labs analyzes zEus stealer distributed via a crafted Minecraft source pack, detailing its infection vector and anti-analysis checks. It then collects a wide range of user data, uses Discord webhooks and other channels to exfiltrate results, and drops multiple persistence and defense-evasion components on Windows. #zEus #Minecraft

Keypoints

  • zEus stealer is distributed via a crafted Minecraft source pack shared on YouTube, with a variant also distributed as a WinRAR self-extracting file.
  • It performs anti-analysis checks to detect if the environment is being analyzed or sandboxed before proceeding with data collection.
  • The malware gathers extensive data (PCINFO, IPINFO, HARDWARE, BROWSERS, STEAL, LDB, SESSION) and saves it under C:ProgramData.
  • Persistence is achieved by registering Run keys in the Windows registry to auto-start the malware.
  • Exfiltration and C2 rely on web services and Discord webhooks; components include RAT, Screen, and other dropper scripts with C2 communication.
  • Fortinet recommends MFA, cautious source downloads, and monitoring via FortiRecon and up-to-date FortiGuard protections.

MITRE Techniques

  • [T1497] Virtualization/Sandbox Evasion – “When a victim executes the zEus stealer, it checks whether it is being analyzed.”
  • [T1547.001] Boot or Logon Autostart Execution – “paths are registered under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun to achieve persistence.”
  • [T1113] Screen Capture – “zEus drops Screen.bat to keep sending a screenshot to the webhook every five seconds.”
  • [T1562.001] Disable Security Tools – “Kill Task Manager” via debugerkiller.bat to prevent user interference.
  • [T1059] Command and Scripting Interpreter – “uses command-line utilities and PowerShell to collect hardware information.”
  • [T1082] System Information Discovery – “The zEus stealer grabs a wide range of information… OS version, product key, hardware ID, system configuration, installed programs.”
  • [T1555.003] Credentials from Web Browsers – “copies files for login data and user preferences from the browsers’ profile path and stores them.”
  • [T1552.001] Credentials in Files – “LDB folder stores .ldb files copied… attacker can extract Discord tokens.”
  • [T1071.001] Web Protocols – “RAT.bat downloads command-line instructions… to COMMANDS.txt” and usage of a webhook for data transfer.
  • [T1041] Exfiltration – “the STEALER.zip is attached and sent as the attack result.”

Indicators of Compromise

  • [C2 Server] context – onlinecontroler[.]000webhostapp[.]com/, panel-controller[.]000webhostapp[.]com/
  • [Discord Webhooks] – hxxps[:]//discord[.]com/api/webhooks/1212818346157015070/2v0xe2vrxFGv65, MRE9qvICmsJw-5e_pq_28xscGybiY1ScEyEiSKMC_zFffr3KkuAimX
  • [Discord Webhooks] – hxxps[:]//discord[.]com/api/webhooks/1212821302671581224/L30ylYucowXO_
    rm7sUpdwA8DLbYet6NyvUsNV60EP1o1HnF-2M-UPsvatVGQY0ctO9Vk
  • [Files] – aabfbef31ab073d99c01ecae697f66bbf6f14aa5d9c295c7a6a548879381fb24, c9687714cf799e5ce9083c9afa3e622c978136d339fc9c15e272b0df9cd7e21c, and many more hashes

Read more: https://feeds.fortinet.com/~/896046242/0/fortinet/blog/threat-research~zEus-Stealer-Distributed-via-Crafted-Minecraft-Source-Pack

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint