A malware campaign targeting online banking customers in Eastern Europe uses a mix of the old and the new as it swipes data from unsuspecting victims.
Dubbed the Apollo campaign by Trend Micro, the campaign uses a highly customized version of Zeus in tandem with an exploit for an old vulnerability in Microsoft Word. In most of the incidents, the attack begins with an email that is disguised as a message from the Ukranian government. The spoofed emails have attachments that exploit CVE-2012-0158, which was patched by Microsoft in MS12-027.
“The malicious .EXE file is a customized ZeuS variant, which uses bot version 126.96.36.199,” according to a research paper on the campaign. “It also has a specially named malicious component that contains Webinject files for specific online banks and payment services, all based in Eastern Europe.”
The malware’s configuration file was modified to download four additional modules to take screenshots and log keystrokes as opposed to using the usual redirection. This modification is likely meant for banks with advanced authentication measures, according to the paper.
Trend Micro found more than 5,000 IP addresses worldwide impacted by the attack. Some of the compromised computers were located in North America. In addition to Zeus, the attackers used other information-stealing malware such as the Bleeding Life exploit pack, Pony Loader and Ann Loader.
“Our research shows that while most banking Trojans target well-known banks (in the US, UK, etc), there are some that prefer a more regional and less conventional approach and by using several tools available underground, the operators were able to carry off their plans,” blogged Trend Micro Senior Threat Researcher Jessa De La Torre. “Moreover, it also demonstrates that cybercriminals are always looking for alternative ways to adapt to defenses.”
The paper is available here.