The landscape of ransomware has transformed significantly over the years, evolving from simplistic attacks to highly sophisticated, multifaceted campaigns. One of the most well-known examples of early sophistication in malware was the Zeus banking trojan. As we explore the innovation behind Zeus’s evolution, we also turn our focus towards how modern advancements, such as large language models (LLMs), might shape the next wave of ransomware attacks.

Zeus: A Case Study in Worm Functionality

Zeus first emerged in 2007 as a banking trojan primarily targeting online banking credentials through techniques such as form-grabbing, keylogging, and man-in-the-browser (MitB) attacks. Initially, its modus operandi centred on stealing user credentials by injecting malicious code into browsers during online banking sessions. However, what set Zeus apart from other malware of its era was its unprecedented ability to adapt and evolve rapidly. Many companies and dev houses talk about shifting left and being agile, but so too are malware devs and Zeus really adopted this approach. Over time, Zeus expanded into a modular platform with new capabilities, posing a persistent challenge to security measures and shaping the blueprint for future cyber threats.

Zeus’s Evolution into a Worm: The PE_LICAT Module

One of the pivotal advancements in Zeus’s lifecycle was the incorporation of the PE_LICAT (also known as Murofet) module. This transformation extended its reach beyond credential theft and turned Zeus into a file-infecting worm capable of spreading autonomously within networks.

Mechanism of Infection:

The PE_LICAT module injected malicious code into targeted executables, including files on removable media, such as USB drives. Once activated, the infected files would carry the Zeus payload and propagate whenever the media was inserted into a system. By targeting removable media, PE_LICAT leveraged a common attack vector that bypasses many network-centric security measures. Who didn’t plug that free conference USB in when they got home right?

Propagation Tactics:

The infection was initiated on command, often triggered by instructions received from the Zeus command-and-control (C2) servers. This allowed it to move laterally within networks—a hallmark of worm-like behaviour. Upon successful infection, Zeus could enumerate network shares and spread its reach within organisational environments.

Domain Generation Algorithm (DGA): Enhancing Resilience

As with all good malware, there exists a phenomenally fast response from security researchers and law enforcement in order to take it down. This cat and mouse game has existed for decades and Zeus got creative by introducing the use of Domain Generation Algorithms (DGAs) to maintain resilient C2 communication channels. The DGA-generated domains functioned as an ever-changing list, making it difficult for defenders to preemptively block connections. The use of DGAs wasn’t new; we first saw them properly used with Conficker in 2009 when Conficker entered an infinite loop, within which it generated a list of 250 domain names (rendezvous points).

The name-generation function was based on a randomising function that it seeded with the current UTC system date. The same list of 250 names was generated every 3 hours, i.e., 8 times per day. A truly brilliant way to evade detection and it set the scene.

• Functionality of the DGA: Zeus’s DGA used deterministic algorithms that derived domain names based on factors like date and time too. This allowed it to generate and attempt communication with hundreds of potential C2 servers daily. Even if one domain was blocked or seized, Zeus could still connect to new C2 addresses.
• Persistence and Evasion: This capability exemplified MITRE ATT&CK Technique T1568: Dynamic Resolution and demonstrated Zeus’s capacity to elude traditional domain-based defences, making static blocklists ineffective or at least really hard and expensive to do.

Gameover Zeus: The Transition to Peer-to-Peer Networking

Zeus underwent another critical transformation with the release of Gameover Zeus in 2011. This evolution marked a shift from centralised C2 infrastructure to a decentralised peer-to-peer (P2P) model, drastically improving its resilience and survivability against takedowns. This is where it all changed and many took notice, namely due to how they approached it with:

P2P Architecture:

Gameover Zeus leveraged the Kademlia P2P protocol, which allowed infected nodes to communicate directly with each other, exchanging updates and distributing instructions (inspired by Stuxnet or is it). Each infected node acted as a peer, forming a distributed network that eliminated single points of failure. Unlike traditional botnets, where taking down the central C2 server could effectively neutralise the threat, Gameover Zeus maintained operations even if many nodes were disrupted.

Encrypted Communications:

The P2P communications were often encrypted, further complicating network monitoring and analysis for defenders. Unless you were breaking the stream, you couldn’t see the payloads and this frustrated a lot of hunters.

Tactics for Persistence:

Gameover Zeus employed a combination of public and private key encryption to authenticate peers, ensuring that only legitimate nodes could join the botnet. This approach demonstrated significant resilience and robustness against network disruption attempts. Interestingly, before 2013, Gameover Zeus relied on a “rolling XOR” algorithm to encrypt its network communications. However, after June 2013, it transitioned to using RC4—a stream cipher that generates a pseudo-random sequence of bytes for XOR-based encryption. This upgrade provided stronger obfuscation and security compared to the rolling XOR method, making it more challenging to decrypt and analyse network traffic without knowledge of the key. Although the shift to RC4 represented an evolution in its encryption strategy, RC4’s inherent weaknesses as a stream cipher still left some vulnerabilities.

Tactics, Techniques, and Procedures (TTPs) Employed by Zeus

Zeus’s TTPs were advanced and sophisticated and whilst this term is heavily overused in modern detection engineering, we wanted to align their TTPs with several MITRE ATT&CK techniques just to showcase the advanced thinking of the Zeus team:

• Credential Dumping (T1003): Zeus often used form-grabbing and keylogging to capture user credentials, particularly from banking sessions.
• Command and Control via Application Layer Protocol (T1071): Zeus communicated with its C2 infrastructure over common protocols such as HTTP and HTTPS, making its traffic blend in with legitimate network traffic.
• Data Obfuscation (T1027): To evade detection, Zeus employed techniques such as obfuscating its payloads, encrypting communications, and leveraging DGAs.
• Process Injection (T1055): In some instances, Zeus would inject itself into processes to maintain stealth and avoid process-based detection by endpoint security solutions.
• System Information Discovery (T1082): Once inside a system, Zeus would enumerate network shares, identify potential data of interest, and analyse its environment to optimise its attack strategies.

Implications of Zeus’s Worm Capabilities

Zeus’s innovative features, including its worm-like propagation capabilities and its use of P2P networking, made it a formidable and persistent threat. By continually adapting its TTPs, Zeus set a precedent for modern ransomware and malware operations. Today’s ransomware often mirrors Zeus’s strategies, employing decentralised infrastructures, leveraging legitimate tools, and innovating around network defences to maximise their reach and impact.

What hasn’t changed is that we still have, and one could argue that we have even more, hunters trying to reverse engineer and detect all manners of actors doing bad things.

The legacy of Zeus lives on in the contemporary threat landscape, where its tactics continue to inform and inspire new iterations of sophisticated malware campaigns.

Modern Ransomware and Worm Capabilities

In recent years, ransomware has continued to evolve, leveraging increasingly sophisticated techniques to maximise both impact and evasion. This evolution has seen the convergence of worm capabilities with advanced persistence mechanisms, creating highly adaptive threats. Two prime examples illustrate the ingenuity and complexity of modern ransomware and worm operations: the P2PInfect worm (written in Rust, you hipsters you!) and the use of ‘living off the land’ binaries (LOLBins) in ransomware campaigns like Frag.

P2PInfect: The Modern Worm in Action

P2PInfect exemplifies how modern threats have inherited and built upon the strategies of past malware, such as Zeus. Written in Rust, a programming language known for its safety, concurrency, and cross-platform capabilities, P2PInfect demonstrates how attackers have evolved their approach to maximise propagation across diverse environments. What’s interesting is that by choosing Rust, not only are they adopting memory-safe language approaches but they’ve also made it even harder for security researchers to reverse engineer their binaries (reference) and some notable architecture choices are:

Cross-Platform Propagation

Unlike traditional malware, which often targets a single operating system or architecture, P2PInfect is designed to infect a wide range of platforms, including x86-64, ARM, and MIPS architectures. By leveraging cross-platform compatibility, it broadens its potential attack surface and increases the likelihood of compromising diverse networked environments.

Decentralised Communication Model

Much like Gameover Zeus, P2PInfect employs a decentralised communication approach. It forgoes reliance on a central command-and-control (C2) server in favour of peer-to-peer (P2P) networking. This allows infected devices to communicate with each other directly, exchanging commands and updates without a central point of failure. This strategy ensures greater resilience and complicates efforts by defenders to disrupt or dismantle the malware’s operations.

Exploitation and Propagation Techniques

P2PInfect primarily targets vulnerable Redis servers and uses brute-force tactics over SSH connections to spread. Once a target is compromised, the worm moves laterally, often aided by network enumeration techniques. This approach is consistent with MITRE ATT&CK Techniques T1190 (Exploit Public-Facing Applications) and T1135 (Network Share Discovery).

Obfuscation and Self-Defence Mechanisms

To evade detection, P2PInfect employs a series of obfuscation and self-protection measures. For example, it utilises encryption to secure its communications and hides its payloads within seemingly benign binaries. This is indicative of MITRE ATT&CK Techniques T1027 (Obfuscated Files or Information) and T1562 (Impair Defences).

The adaptability and resilience of P2PInfect highlight how modern worm-based threats continue to evolve and adopt techniques to propagate widely while resisting traditional detection and mitigation measures. With everyone now trying to detect your malicious activity and binaries using AI and Machine Learning, does it prove useful to stand out?

LOLBins and Modern Ransomware Strategies

Living off the land binaries (LOLBins) represent a shift in how attackers approach stealth and evasion. Rather than relying solely on custom-built tools that might trigger security alerts, ransomware operators increasingly use legitimate, pre-installed software to carry out their malicious operations. This trend is exemplified in campaigns such as those conducted by the Frag ransomware group, as highlighted in research by Agger Labs.

LOLBins are legitimate executables and scripts native to an operating system or commonly used software suite. Examples include utilities like PowerShell, Windows Management Instrumentation (WMI), WinRAR, and WinSCP. Because these tools are often trusted by endpoint security solutions, their use helps attackers avoid detection and scrutiny. Used by many a pen tester and red teamer over the year, it’s inevitable that ransomware crews adopt them too, I mean it makes sense right?

The Frag ransomware group demonstrates how LOLBins can be weaponized to devastating effect. By leveraging tools like WinRAR for compressing and archiving data and WinSCP for transferring exfiltrated files, attackers can blend their activities into legitimate-looking processes, evading security measures designed to detect abnormal behaviours. Some examples of this are:

Example of File Compression and Transfer

Instead of using custom data exfiltration scripts, Frag operators employ WinRAR to bundle sensitive files before exfiltration. This approach helps evade network and endpoint detection mechanisms that might flag unknown processes or connections.

Exploiting Backup Systems

Frag ransomware also targets backup solutions, focusing on corrupting or deleting backups to increase leverage over victims.

Bypassing Endpoint Detection and Response (EDR) Solutions

Attackers have recently used LOLBins in combination with EDR-killing tools to disable security defences before launching ransomware payloads. For example, by exploiting vulnerabilities in signed drivers or using BYOVD (Bring Your Own Vulnerable Driver) attacks, threat actors gain privileged access and undermine EDR solutions, as noted in the Agger Labs study on Frag.

The Role of LOLBins in Modern Worm Capabilities

The use of LOLBins extends beyond basic ransomware tactics and intersects with worm-like behaviours to enhance both propagation and stealth. By integrating legitimate tools and processes into their operational workflows, ransomware crews could achieve the following objectives:

• Reduce the Attack Footprint: LOLBins minimise the need for custom scripts, reducing the likelihood of triggering security alerts based on heuristics or signature-based detections.
• Blend In with Legitimate Activities: By using commonly trusted tools, attackers make it difficult for defenders to distinguish between benign and malicious actions.
• Enable Seamless Movement Across Environments: With the ability to leverage system-native utilities, attackers can more easily navigate heterogeneous environments, from Windows workstations to Unix-based servers.

It is clear, to us at least, that the convergence of worm capabilities, decentralised propagation, and the strategic use of LOLBins represents the modern evolution of ransomware. By combining stealth, resilience, and expansive reach, today’s threats pose significant challenges to defenders. Drawing inspiration from historical examples like Zeus while leveraging contemporary innovations, attackers continue to evolve, making comprehensive defence strategies more essential than ever.

So where next? Can we honestly write an article that doesn’t delve into the potential for using Artificial Intelligence?

LLMs: The Next Frontier in Ransomware Evolution?

The integration of large language models (LLMs) into ransomware operations has the potential to transform the threat landscape, enabling attackers to automate and scale their campaigns with unprecedented sophistication. While speculative, this possibility underscores how advances in artificial intelligence can be leveraged to supercharge malicious activities, particularly in the context of creating more efficient and adaptive worms.

Agger Labs Predictions

1: Using LLMs for Generating Polymorphic Code Variations

Polymorphism and Obfuscation: One of the key challenges in malware detection is identifying unique code signatures. Ransomware typically evolves by using obfuscation, encryption, and polymorphism to create newly refactored variants that evade detection. An LLM could automate this process on a massive scale, generating thousands of slightly modified versions of a worm in seconds.

Technical Detail: By leveraging deep learning models trained on code generation, attackers could produce ransomware payloads that modify themselves upon each infection attempt. This would make signature-based detection by traditional antivirus tools virtually obsolete, necessitating more sophisticated heuristic or behavioural analysis.

They could randomise how they call and execute the cryptographic functions to which they heavily rely upon and indeed make life miserable for those who solely rely on such signatures to extract keys and offer a solution.

2: Automated Vulnerability Discovery and Exploitation

Vulnerability Analysis at Scale: LLMs, particularly when trained on a large corpus of public and internal security data, can potentially identify vulnerabilities within software systems at unprecedented speed and scale. This capability could be leveraged to pinpoint zero-day vulnerabilities suitable for exploitation in worm propagation. We are already seeing research in this space and indeed we have seen ransomware crews adopt the same bug hunting approach as Google Project Zero by purchasing edge devices in order to look for vulnerabilities. Consider the following example scenario:

A ransomware operator using an LLM (either custom or from ollama) to scan publicly available code repositories, exploit databases, and CVEs to identify unpatched vulnerabilities. This model could generate exploitation scripts tailored to each target system’s configuration, improving the success rate of initial access and lateral movement.

We are seeing this being a thing (reference).

3: Crafting Highly Convincing Social Engineering Campaigns

First, let me caveat this with “yes, we are aware this is happening already”, but we have a thing we think might be used based on chatter on the underground and our own evil thinking and that is:

Personalised Phishing Lures: Social engineering remains one of the primary vectors for delivering ransomware. LLMs can generate highly persuasive phishing emails, tailored social media messages, or voice impersonations based on the vast amounts of data available online.

Dynamic Content Creation: An LLM can analyse publicly available data about a target (e.g., social media posts, job profiles, company information) and craft personalised messages that greatly increase the likelihood of engagement.

Example: A hypothetical worm equipped with LLM capabilities could generate emails that mimic internal communications, complete with realistic context and language patterns, to lure unsuspecting employees into executing malicious payloads.

4: Adaptive Worm Behavior and Decision Making

Real-Time Adaptation: An LLM-augmented worm could adjust its behaviour based on the target environment in real-time. I don’t think we are here yet with the current crop of models but for example, it could analyse network architecture, assess security tools in place, and choose the optimal path for propagation, whether through lateral movement via network shares, exploiting vulnerabilities, or leveraging human interaction.

Example Scenario: Upon encountering a network protected by an advanced EDR solution, an LLM-based worm could dynamically generate strategies to evade detection, such as identifying and exploiting weaknesses in the EDR or switching to a stealthier mode of operation using LOLBins already present on the target system.

5: Automating Post-Exploitation Tasks

Everyone is all about automation and it’s clear that so too are criminals. Automate all the things is the most efficient way of getting better ROI.

Task Automation with LLMs: Post-exploitation activities, such as data exfiltration, lateral movement, and privilege escalation, could be automated and optimised through the integration of LLMs. Once inside a network, the worm could leverage its AI model to prioritise high-value targets (such as file shares, backup servers, internal applications often forgotten about by security etc), identify sensitive data, and exfiltrate it efficiently.

Advanced Persistence: The LLM could also identify opportunities to establish long-term persistence through techniques like credential dumping, creating hidden scheduled tasks, or modifying system processes. Imagine a scenario where it detects Falcon running and on-the-fly it adapts the payloads to bypass that based on security research released on bypassing EDRs (reference).

6: Evasion and Defence Bypassing

As we documented in our FRAG blogpost, the use of EDR killers is on the rise and this is where LLMs could help, namely:

Evasion Strategies Generated on the Fly: LLMs can be used to generate novel techniques for bypassing security tools, such as anti-virus, EDR, and intrusion detection systems (IDS). This could include creating new fileless attack vectors or identifying blind spots in monitoring solutions.

Example: An LLM-driven worm might identify and exploit weaknesses in kernel-mode drivers using a BYOVD (Bring Your Own Vulnerable Driver) approach, as previously seen with contemporary ransomware.

Conclusion

To us, the advancing skills and capabilities of ransomware crews as well as the sheer growth of the market has shown how they are adapting and adopting many new and old technologies.

The potential for LLMs to enhance ransomware capabilities raises significant ethical and security concerns. While AI has tremendous potential for defensive applications, such as automating threat detection and response, its dual-use nature poses a real risk in the hands of adversaries. Organisations must remain vigilant and invest in advanced security measures, including AI-driven defensive tools, to counterbalance these potential threats. Additionally, responsible development, regulation, and collaboration between public and private sectors are essential to ensure that advancements in AI do not disproportionately benefit malicious actors.

The innovations pioneered by malware like Zeus set a precedent for the complex, multifaceted attacks we see today. As we look ahead, the integration of advanced technologies, such as LLMs, poses both new risks and new opportunities for defenders.

This is what keeps Agger Labs active. We know this space well, we know where it might be heading and build tooling to help make your lives better and their lives more miserable.