Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Apollo Malware Campaign Targets Bankers in Eastern Europe

A malware campaign targeting online banking customers in Eastern Europe uses a mix of the old and the new as it swipes data from unsuspecting victims.

A malware campaign targeting online banking customers in Eastern Europe uses a mix of the old and the new as it swipes data from unsuspecting victims.

Dubbed the Apollo campaign by Trend Micro, the campaign uses a highly customized version of Zeus in tandem with an exploit for an old vulnerability in Microsoft Word. In most of the incidents, the attack begins with an email that is disguised as a message from the Ukranian government. The spoofed emails have attachments that exploit CVE-2012-0158, which was patched by Microsoft in MS12-027.

“The malicious .EXE file is a customized ZeuS variant, which uses bot version 2.7.6.8,” according to a research paper on the campaign. “It also has a specially named malicious component that contains Webinject files for specific online banks and payment services, all based in Eastern Europe.”

“In the past, banking Trojans like SpyEye and ZeuS used Webinject files as additional tools to steal victims’ personal online banking, webmail service, and financial service account credentials,” the paper continues. “A Webinject file contains several lines of JavaScript and HTML code to mimic or create fake pop-up notifications that ask users for their credentials every time they access their online bank accounts. In addition, Webinject files are capable of adding extra fields for users to fill up.”

The malware’s configuration file was modified to download four additional modules to take screenshots and log keystrokes as opposed to using the usual redirection. This modification is likely meant for banks with advanced authentication measures, according to the paper.

Trend Micro found more than 5,000 IP addresses worldwide impacted by the attack. Some of the compromised computers were located in North America. In addition to Zeus, the attackers used other information-stealing malware such as the Bleeding Life exploit pack, Pony Loader and Ann Loader.

“Our research shows that while most banking Trojans target well-known banks (in the US, UK, etc), there are some that prefer a more regional and less conventional approach and by using several tools available underground, the operators were able to carry off their plans,” blogged Trend Micro Senior Threat Researcher Jessa De La Torre. “Moreover, it also demonstrates that cybercriminals are always looking for alternative ways to adapt to defenses.”

The paper is available here.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.