HZB.Feedel's actual payload depends on the type of malware which is stored in the final, encrypted section of its code, and is usually a LinkOptimizer or Trojan-Password stealer. DownloadThe actual download is performed by a small (usually 6000 to 7000 bytes) downloader with the mutex name "Global\__RST__". The downloader itself is usually packed with UPX.The downloader retrieves an encrypted data file (usually named aacaa.gif, aacab.gif or similar) from a malicious link. The name of the link varies, but usually appears as:
The IP address of the malicious link is password-protected; in the sample we received, the password was "countermode.ws".Once downloaded onto the system, the downloader completely decrypts the data file. EncryptionAll the possible strings, API names and other details of the downloaded file are completely encrypted using the encryption algorithm RC4 block cipher. Before decryption, the data file appears as:
The data file is also protected by a password. The password appears as:
In the example shown, the password is "zlf4g0wdlv".The size of the password used for the encrypted data is usually around 10 characters. The strength of this password means that using a brute-force attack to crack it would take a long time. Simply guessing it would be almost impossible.After decryption, the same data file appears as:
The decrypted content is detected as a Trojan:W32/Feedel variant.
On execution, the downloader will decrypt the actual malware, which is contained in the last encrypted segment of content in the downloaded file, and is protected by a separate 9-byte long password. Once decrypted, the malware will lock itself to the hardware. The type of malware stored into this final segment may vary, but have usually been Linkoptimizers or Trojan-PSW malware.
In the sample we analyzed, the trojan collects system information from the infected machine, specifically the serial number of the Windows drive and the size of the partition. Using this information, it then adds an additional layer of encryption and drops the malware in the temporary folder, using a value obtained from GetTickCount API for the filename.Feedel uses this information as an encryption/decryption RC4 key, to ensure that the malware cannot and will not be executed on any other machine. Incidentally, this also makes analysis very difficult to perform.Feedel uses the system temporary folder, %temp%. An example path is as follows:
The temporary fileis then executed, after which boththe downloader andthe file that createdthe above mentionedfile will be deleted.