Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Zeus Variant Targeting Online Banking Users in Canada

A new version of the ZeuS malware has been used since January 2014 to target online banking users in Canada, security researchers from Trusteer reported on Monday.

A new version of the ZeuS malware has been used since January 2014 to target online banking users in Canada, security researchers from Trusteer reported on Monday.

The new variant of the Trojan, dubbed ZeuS.Maple, has actually been designated by the malware authors as version 3.3.6.0. Experts say ZeuS.Maple is actually a heavily modified version of ZeuS 2.0.8.9 that brings improvements to existing capabilities, but it doesn’t add any new functionality.

“It implements unique browser re-patching techniques, an alternative naming generation algorithm, different anti-debugging and new anti-VM capabilities. It uses an encrypted configuration stored in the Windows registry, and in order to remain stealthy, ZeuS.Maple distribution in the wild is limited and controlled,” Dana Tamir, director of enterprise security at Trusteer, noted in a blog post.

ZeuS.Maple uses a clever technique to make the executable file it drops on infected systems more difficult to identify. Unlike previous versions, which generated a random name for the executable, the name of the file created by this variant is a combination between the name of the AppData directory to which the file is dropped and a hard-coded string, like “win.” For example, if the file is dropped in the appdataroamingmicrosoft directory, the name that’s generated is “winmicrosoft.exe.”

In order to prevent researchers from debugging the malware, it’s authors use a unique packer written in Visual Basic to make analysis more difficult. Another anti-debugging system integrated into ZeuS.Maple verifies the values of two known Windows flags, namely PEB!IsDebuggedFlag and PEB!NtGlobalFlags.

The malware also incorporates some new anti-VM capabilities, but Trusteer says they’re not impressive. The threat checks to see if VMware Tools is installed on the targeted systems, a verification method that can be bypassed by researchers by simply uninstalling the application.

As far as web-injection functionality is concerned, ZeuS.Maple uses browser patching just like previous variants. However, unlike other versions of the Trojan, this one is designed to re-patch the browser to protect its patches.

Trusteer reports that the malware is designed to target the customers of 14 leading Canadian financial institutions. The threat also looks for general e-commerce transactions performed by victims.

Advertisement. Scroll to continue reading.

On Tuesday, Akamai published a threat advisory through the company’s Prolexic Security Engineering & Response Team (PLXsert) to warn Fortune 500 enterprises of attacks that leverage the ZeuS crimeware framework.

“Zeus is insidious, even in the most secure environments. Users are tricked into running programs that infect their devices, so strict enforcement of organizational security policies and user education can help,” said Stuart Scholly, senior vice president and general manager at Akamai’s Security Business Unit.

“Enterprises are encouraged to develop a rigorous website security profile that includes a web application firewall. This approach can disrupt Zeus communication patterns and help prevent data breaches and file scanning attempts.”

In related news, researchers from RSA have discovered a new banking Trojan for sale in underground forums and marketed as an alternative to the Zeus Trojan. Called Pandemiya, the new Trojan is similar to Zeus in that it allows cyber-criminals to steal form data, login credentials, and files from infected computers, according to RSA’s Fraud Action team. Much like Zeus, Pandemiya also has a modular design, making it easy for cyber-criminals to expand and add functionality, Uri Fleyder, cybercrime research lab manager at the RSA Research Group, told SecurityWeek.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.