A malware campaign targeting online banking customers in Eastern Europe uses a mix of the old and the new as it swipes data from unsuspecting victims.
Dubbed the Apollo campaign by Trend Micro, the campaign uses a highly customized version of Zeus in tandem with an exploit for an old vulnerability in Microsoft Word. In most of the incidents, the attack begins with an email that is disguised as a message from the Ukranian government. The spoofed emails have attachments that exploit CVE-2012-0158, which was patched by Microsoft in MS12-027.
“The malicious .EXE file is a customized ZeuS variant, which uses bot version 2.7.6.8,” according to a research paper on the campaign. “It also has a specially named malicious component that contains Webinject files for specific online banks and payment services, all based in Eastern Europe.”
“In the past, banking Trojans like SpyEye and ZeuS used Webinject files as additional tools to steal victims’ personal online banking, webmail service, and financial service account credentials,” the paper continues. “A Webinject file contains several lines of JavaScript and HTML code to mimic or create fake pop-up notifications that ask users for their credentials every time they access their online bank accounts. In addition, Webinject files are capable of adding extra fields for users to fill up.”
The malware’s configuration file was modified to download four additional modules to take screenshots and log keystrokes as opposed to using the usual redirection. This modification is likely meant for banks with advanced authentication measures, according to the paper.
Trend Micro found more than 5,000 IP addresses worldwide impacted by the attack. Some of the compromised computers were located in North America. In addition to Zeus, the attackers used other information-stealing malware such as the Bleeding Life exploit pack, Pony Loader and Ann Loader.
“Our research shows that while most banking Trojans target well-known banks (in the US, UK, etc), there are some that prefer a more regional and less conventional approach and by using several tools available underground, the operators were able to carry off their plans,” blogged Trend Micro Senior Threat Researcher Jessa De La Torre. “Moreover, it also demonstrates that cybercriminals are always looking for alternative ways to adapt to defenses.”
The paper is available here.