Offensive .NET: theZoo

If you’ve never heard of theZoo and you’re in the security space with some .NET development skills this is a real treat for you. The GitHub repository, “theZoo”, is a collection of binaries and source code of captured and caged malware. Digging through this I found some .NET malware that you may want to study. Most of the code was very low level and simple. There are plenty of Remote Access Trojans (RATs) and code that anyone can learn from. You can also do debugging and static analysis to understand what these viruses do.

DISCLAIMER

As always, it is illegal to distribute malware in the United States. Be sure you are responsible and fully aware of all local, state and federal laws where you live. I am not responsible for your actions and cannot be held liable.

Most Dangerous Malware

Some of the most sophisticated malware can be found in the binaries folder. There is malware in this repository that the infamous state-sponsored APT, “The Equation Group” developed like DoubleFantasy, EquationDrug, EquationLaser, Fanny, GROK, GrayFish, and TripleFantasy.

Pulling “theZoo” from GitHub

When downloading the most dangerous malware on the planet, it is best practice to name the folder something you won’t forget. The name “definitelynotmalware” seems very appropriate.

Extracting the Malware

Each folder has a zip file of malware and a password file for extracting the encrypted password-protected zip file. I believe one of the reasons they did this is so antivirus won’t pick it up and quarantine the files. There is also a SHA256 file to verify that the zip file has not changed.

.NET Malware

I started digging around and found that there is a bunch of “Win32” malware that is mostly .NET. Some of it is actually C/C++.

I’ve confirmed that these libraries are .NET malware.

C/C++ Malware

  • Alina
  • AryanRAT
  • Athena
  • Carberp
  • CyberBot v2.2
  • DBot3.1
  • Dexter
  • Dokan
  • DopeBot.A
  • DopeBot.B
  • DopeBot v0.22 Crippled
  • DopeBot v0.22 UnCrippled
  • HellBot v3.0
  • IoT.Mirai
  • KINS (PHP also…)
  • LiquidBot
  • LoexBot 1.3
  • NBot
  • NullBot
  • PowerLoader
  • rBot 0.3.3
  • Rovnix
  • Rubilyn
  • ShadowBot
  • ShadowBot v3
  • W32.MyDoom.A
  • LoexBot 1.3
  • Win32.MiniPig
  • Win32.NinjaBot (Delphi??? has .pas files)
  • Win32.ogw0rm
  • Win32.Pegasus
  • Win32.Remhead (n00bkit)
  • X0R-USB
  • xTBot0.0.2
  • XtremeRAT (Delphia??? has .pas files)
  • ZeuS2.0.8.9

.NET/VB/VBS Malware

  • Blackdream
  • BShades_Fusion_Source
  • APKBinder (VB)
  • StubEng (VB)
  • PlasmaHTTP (VB)
  • Jigsaw (C# Ransomware)
  • SpazBot 2.12
  • v0lk (VB 6)
  • vbBot (VB)
  • VBS.Win32.Vabian
  • Win32.BlackWorm
  • Win32.Carbanak (C#)
  • Win32.DiamondRAT (VB)
  • Win32.LokiRAT (C#)
  • Win32.LuxNET (VB)
  • Win32.MCRYPT (C#)
  • Win32.njRAT (VB)
  • Win32.QuasarRAT (C#)
  • Win32.ShadowTech (VB)

PHP Malware

  • ExploitKit.0x88
  • ExploitKit.BlackHole.100
  • ExploitKit.BlackHole.102
  • ExploitKit.BleedingLife.2
  • ExploitKit.Crimepack 3.1.3
  • ExploitKit.DemonHunter
  • ExploitKit.Eleonore 1.4.1
  • ExploitKit.Fragus
  • ExploitKit.Phoenix 2.5
  • ExploitKit.RIG
  • ExploitKit.Sakura
  • ExploitKit.Sava (NSFW: Contains Porn)
  • Grum
  • KINS (Mostly C but has a php app)
  • Mazar (АДМИНКАМАЗАР)
  • Zemra
  • ZunkerBot 1.4.5

Python

  • ZIB Trojan

Assembly Malware

  • TinyBanker

What can you learn from theZoo’s Malware source code?

I’ve started digging into the code and some of the common things you can learn are encryption, compression, remote access control, Windows API, reverse proxies, SOCKS5, key loggers, task monitors, and more. The list is endless.

Some of these apps are capable of building new malware using .NET code. I found some of this to be the most impressive because it allows the malware to grow and upgrade itself.

RELATED ARTICLESMORE FROM AUTHOR