on October 5, 2018

ARS Loader evolution, a new stealer (ZeroEvil) and AirNaine (TA545)

This blog post details the research performed by the Blueliv Labs team and presented by Jose Miguel Esparza at Virus Bulletin in Montreal. The research is related to ARS Loader and its evolution, the appearance of a new stealer based on ARS, ZeroEvil, and how both malware families have gotten together in an active campaign against Canadian businesses and, indirectly, banks.

You can find a link to IOCs related to the research, within our Blueliv community  and the presentation.

ARS Loader and its evolution

ARS Loader, also known as ARS VBS Loader, is written in Visual Basic Script and its main purpose is to control an infected machine via different available commands, acting as a remote access trojan (RAT). Its code is based on ASPC, another Visual Basic Script malware, which at the same time seems to be based on SafeLoader. SafeLoader was written in Visual Basic and created in 2014 as a research project by a group of Spanish developers who were sharing knowledge in a forum called indetectables.net.

Actor selling ARS Loader in an underground forum

ARS Loader has been around since December 2017, announced in underground forums with the intention of being sold. It has since evolved. The base code collected system information from the infected computer and sent it back to the C&C, receiving a response which could contain different executable commands. The basic commands allowed the bot to download and launch executables, download and execute plugins/dlls, update the bot, uninstall and perform a Denial of Service (DoS) attack.

ARS Loader commands

The developer removed some functions, such as the command to perform a denial of service attack, and added other functionalities in 2018, such as sending a screenshot when the malware is executed for the first time, the ability to download and execute Power Shell commands and a function to collect passwords stored in the Edge web browser. The communication with the C2 has remained intact all these months, using only HTTP requests and sending the information back and forth in plain text.

ARS Loader evolution

ARS Loader’s functionality can be extended with the execution of plugins using rundll32.exe, calling the exported function ARS. Mainly, we have seen four different kind of plugins, all related to stealing credentials from the victims:

  • dll: contains the post-exploitation tool LaZagne in the resources section and will extract and execute it, sending the results to the C2.
  • NDR.dll / NDL.dll: acts as a loader, executing an embedded binary. In most of the samples we have seen the malware family executed was SmokeLoader. These plugins contain the following PDB path, giving hints about the developer (cot):
    • C:\Users\COT\Documents\Visual Studio 2012\Projects\AIRNAINE\Release\NaineDllPeRunner.pdb
  • Stealer_01_x32.dll / Stealer_01_x64.dll: uses sqlite to extract stored passwords from Google Chrome, Yandex Browser and Comodo Dragon login information. After collecting information, it sends it to the C2.
  • ars_s.dll: spread in September 2018, this plugin includes the same functionality as the previous one but adds a VBS script to steal Edge passwords via Power Shell.

ZeroEvil: a new stealer in town

In mid-September we observed that some samples we analyzed in our sandboxes exhibited similar behavior to ARS Loader, and especially some of its plugins like ars_s.dll. However, these were not VBS files but executables. In our comparison with ars_s.dll, these executables dropped the same files, such as the VBS files executing PowerShell code to steal Edge passwords, but instead of seeing the usual ARSv5 strings we detected a new string, ZeroEvil.

Visual Basic Script code mentioning “ZeroEvil”

After analyzing the ARS plugin and the new ZeroEvil samples in our sandboxes, we also identified a similar plugin:

Behavior comparison between ars_s.dll (left) and the new samples (right)

When comparing some parts of the code at binary level, they shared code (even byte by byte) and in particular the code which governed stealing credentials from the three aforementioned web browsers (Google Chrome, Yandex Browser and Comodo Dragon).

Code-level comparison between ars_s.dll (left) and the new samples (right)

We also saw similarities in the communication with the C2, when the malware reported back its stolen information. In the case of the ARS plugins, they use “plugin_gate.php?plugin=” and in the case of ZeroEvil it is using “logs_gate.php?plugin=”, sending both pieces of stolen information in plain text.

Considering all these similarities – between ars_s.dll, one of the latest detected ARS plugins, the new executables – it is probably that the same developer wrote both pieces of malware and shared a lot of code between the projects. It is also possible that the ARS plugin code was shared with a different developer, but keeping in mind that the server side seems to be partially similar we hypothesize that it is in fact the same developer.

But not all is the same in ZeroEvil. The main communication of the trojan, used to send the operating system information and receiving commands, is sent encoded/encrypted.

ZeroEvil C2 communication to receive commands

However, the algorithm which obtains the decoded/decrypted information is quite simple, using a specific key (the offensive phrase “nigger” in all the samples we analyzed. Please note that we have maintained this word in order to preserve the authenticity of the research and it is in no way intended to cause offense) and performing simple operations. These few lines of Python code permit the collection of the plain text information:

Besides this communication we list other new functions we observed in ZeroEvil compared with ARS:

  • Sends the process list to the C2 (txt)
  • Searches the victim’s desktop recursively looking for .txt files and sends the content to the C2 when one is found
  • Search for dat and default_wallet files and sends them to the C2

Even if ZeroEvil’s functionalities are not as advanced as other stealers like Pony or LokiPWS, since it does not support much additional software, we see these samples as beta versions and still under development with new changes to be made in the near future. It remains possible it won’t reach the level of those stealers, but it will still represent a threat for most users, stealing valuable information and permitting access to sensitive data, such as bank details, for instance.

AirNaine/TA545 and his active campaign against Canada

Despite observing new functionalities in the ARS Loader code in recent months, we still have not seen these new functionalities being publicly advertised by the ARS seller in underground forums. This probably means that the developer is working exclusively for a specific actor, or that maybe he already has a decent number of private customers. Whatever the reason, this is a remarkable detail, as is the fact that the new ARS functionalities have been used in an active campaign against Canadian users since ARS was first advertised back in December 2017.

Without any doubt, there is a close relationship between the ARS developer/seller and the actor behind campaigns in Canada, which we call AirNaine. The name is based on the PDF path we found in the NDx.dll plugins (AIRNAINE\Release\NaineDllPeRunner.pdb). This actor is known as TA545 by Proofpoint, who conducted additional research detailing historical information in their blog post.

The following table shows a summary of the activity of the actor since 2016. It is compiled from information shared by Proofpoint in addition to Blueliv data from 2017-2018.

As the table shows, during 2018 AirNaine has been using Onliner Spambot as a method to distribute different payloads to Canadian citizens. Onliner Spambot bots communicate with the C2 with lists of recipients, templates to be used as message body, headers and payload URLs to be included in the template, and information around where it will download the attachments. During the quarter between June and August 2018, we collected the following information about the SPAM campaigns:

  • Recipients
    • Sent to ~10K different e-mail addresses
    • More than 90% of those addresses were using a .ca TLD, and not the usual gmail.com or yahoo.com domains, meaning these were campaigns 100% focused on attacking Canadian businesses.
  • Payload URLs
    • Using compromised websites to host the malicious payload
    • Always changing websites and including more than one per campaign
    • Almost 1,000 different payload URLs
    • 95% of those URLs using new domains (~950)
    • Almost 70% of those domains using a .ru TLD, probably due to the fact that they are usually more difficult to be taken down.
  • Payload filenames
    • CCUA.zip
    • CanadaPost-Tracking.zip
    • CanadaPost.zip
    • CoastCapitalSavings.zip
    • Purolator-Label.zip
    • Purolator-Shipment.zip
    • Purolator-Tracking.zip
    • Purolator.zip
    • e-Transfer.zip
    • savingsStatements.docx

Checking the filenames, we observe that the templates used shipping and logistics company themes, including Canada Post, Purolator, Canada Credit Union and Coast Capital Savings. The templates initially asked the user to visit a link, but since June 2018 they directly attaching files to the emails too. At the end of September, this successfully distributed a phishing page targeting Coast Capital Savings. These are some of the templates used by the actor during this year:

Most of these templates contained ZIP files including obfuscated Visual Basic Script or JavaScript code, ultimately executing ARS Loader. Stealer plugins were also executed as additional payloads, completing the ARS Loader or Smoke Loader sample functionalities.

Those Smoke Loader samples were not used as loaders as we are used to seeing, but as simple stealers, making it clear that the main objective of the actor is to steal credentials from the victims.

Most of the Smoke Loader samples were digitally signed using the names of legitimate companies located in United Kingdom and used the names of these companies as filenames. For example, a sample distributed in July 2018 as WintersLCorp.exe was digitally signed using the CN “WINTERS & CO LIMITED” and used the real address of the company in the certificate:


In summary, AirNaine / TA545, the actor behind these campaigns targeting Canadian businesses, tries to collect email addresses belonging to Canadian corporate accounts, use them to spread malware against them, tries to steal credentials from the victims to monetize these accounts, probably looking specifically for banking accounts. This actor has been changing tools and tactics during its years of activity, implying that the profit incentive is more important to its user than the means. It does not seem that this actor will halt its activities in the short-term, and it is likely that new tools and tactics will be developed if they have a decent ROI for the attacker.

Demo Free Trial Community