ZeuS variant strikes 150 banks worldwide

 

Kaspersky has discovered a fresh ZeuS malware strain which has targeted financial institutions worldwide.

The company says the banking trojan's latest form has targeted a total of 150 different banks and 20 payment systems worldwide; focusing on the infiltration of online banking. In total, 15 countries have been attacked, including the United Kingdom, United States, Spain, Russia, Japan and Italy.

The security firm dubbed the new ZeuS strain Trojan-Banker.Win32.Chthonic, and reported its findings in a blog post Thursday.

ZeuS is a nasty form of malware which has been tailored for different cyberattacks. Banks have been a major target of the malicious code, but ZeuS has also been discovered in phishing campaigns and attacks focused on Salesforce.com accounts.

The strain appears to be an evolution of ZeuS, and while Chthonic uses a new technique for loading modules, the malware uses the same encryptor as Andromeda bots, the same encryption as ZeuS trojans, and a virtual machine similar to that used in both ZeuS and KINS malware.

Chthonic, which impacts Windows machines, has been discovered in emails containing exploits hidden within RTF documents. Once the document is opened, the malware is downloaded to victim machines using the Andromeda bot, which then injects code into the msiexec.exe process.

Now the victim's computer is compromised, criminals can connect to the system remotely and force it to carry out fraudulent transactions. If a victim tries to access an online banking system, the malicious code kicks in and intercepts sensitive data including phone numbers, usernames, passwords, PINs and other information -- which is then sent onwards to the hacker.

The ZeuS strain also contains keylogging, microphone hijacking and webcam-spying capabilities.

In the case of one Japanese bank, the trojan hides the bank's warnings about malware and injects a script which enables the hackers to carry out transactions from the victim's account without user consent.

In Russia, Kaspersky found that when a victim opens an online banking web page in the browser, all of the contents are spoofed -- rather than just a portion, which is usually the case in an ordinary attack. Instead, the code creates an iframe with a phishing copy of the website which is the same size as the original window.

Fortunately, many code fragments used by the trojan to hijack bank accounts via web injection can no longer be used, as banks have changed the structure of their pages -- and in some cases, domains as well. However, as noted by the security team, since the ZeuS code has been leaked, we are likely to see new variants of ZeuS in the future.