PowerZeus

• 2 samples
• PowerZeus vs. KINS is confusing. More research is required, but here are some notes:
  • Some research at the time treated them as aliases of each other.
  • The leaked source code is named "KINS", but only in archive names (e.g. KINS.7z) and GitHub metadata (e.g. repository names and READMEs).
  • The leaked source code doesn't contain the "Kasper" logo.
  • The leaked source code does contain KINS' base config virtual machine implementation (in configcrypt.cpp and configcrypt.h), but it isn't used or referenced outside those files.
  • The leaked source code uses DllConfig::getCurrent (which is very DynamicConfig-like, including webinjects) instead of the more traditional Core::getBaseConfig.
  • The leaked source code is version 1.0.2.0.
  • Samples are version 1.0.2.0.
  • Samples don't use KINS' base config virtual machine implementation, but DllConfig::getCurrent.

References (6)

• 2013-09-01: Zeus-R-uS [315]
• 2013-09-30: Having a look on the KINS Toolkit [50]
• 2013-10-10: MMD-0007-2013 - KINS? No! PowerZeuS, yes! Source Code for View & Download [76]
• 2013-10-18: A PowerZeus Incident Case Study [75]
• 2014-12-05: ZeuS meets VM [329]
• 2015-02-24: 1.0.2.0 Source Code [13]

Version	Count	ITW	IOCs	Reference Sample	Notes
1.0.2.0	2	2013-09-03	Samples	442b1971e92aefeb93774a13cd2ca15f7f8e9dad99303f1c832bd62f10e30ed2 (VT MB)

---

curator@zeusmuseum.com / @tildedennis