Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Apollo Malware Campaign Targets Bankers in Eastern Europe

A malware campaign targeting online banking customers in Eastern Europe uses a mix of the old and the new as it swipes data from unsuspecting victims.

A malware campaign targeting online banking customers in Eastern Europe uses a mix of the old and the new as it swipes data from unsuspecting victims.

Dubbed the Apollo campaign by Trend Micro, the campaign uses a highly customized version of Zeus in tandem with an exploit for an old vulnerability in Microsoft Word. In most of the incidents, the attack begins with an email that is disguised as a message from the Ukranian government. The spoofed emails have attachments that exploit CVE-2012-0158, which was patched by Microsoft in MS12-027.

“The malicious .EXE file is a customized ZeuS variant, which uses bot version 2.7.6.8,” according to a research paper on the campaign. “It also has a specially named malicious component that contains Webinject files for specific online banks and payment services, all based in Eastern Europe.”

“In the past, banking Trojans like SpyEye and ZeuS used Webinject files as additional tools to steal victims’ personal online banking, webmail service, and financial service account credentials,” the paper continues. “A Webinject file contains several lines of JavaScript and HTML code to mimic or create fake pop-up notifications that ask users for their credentials every time they access their online bank accounts. In addition, Webinject files are capable of adding extra fields for users to fill up.”

The malware’s configuration file was modified to download four additional modules to take screenshots and log keystrokes as opposed to using the usual redirection. This modification is likely meant for banks with advanced authentication measures, according to the paper.

Advertisement. Scroll to continue reading.

Trend Micro found more than 5,000 IP addresses worldwide impacted by the attack. Some of the compromised computers were located in North America. In addition to Zeus, the attackers used other information-stealing malware such as the Bleeding Life exploit pack, Pony Loader and Ann Loader.

“Our research shows that while most banking Trojans target well-known banks (in the US, UK, etc), there are some that prefer a more regional and less conventional approach and by using several tools available underground, the operators were able to carry off their plans,” blogged Trend Micro Senior Threat Researcher Jessa De La Torre. “Moreover, it also demonstrates that cybercriminals are always looking for alternative ways to adapt to defenses.”

The paper is available here.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.