A new version of the ZeuS malware has been used since January 2014 to target online banking users in Canada, security researchers from Trusteer reported on Monday.
The new variant of the Trojan, dubbed ZeuS.Maple, has actually been designated by the malware authors as version 18.104.22.168. Experts say ZeuS.Maple is actually a heavily modified version of ZeuS 22.214.171.124 that brings improvements to existing capabilities, but it doesn’t add any new functionality.
“It implements unique browser re-patching techniques, an alternative naming generation algorithm, different anti-debugging and new anti-VM capabilities. It uses an encrypted configuration stored in the Windows registry, and in order to remain stealthy, ZeuS.Maple distribution in the wild is limited and controlled,” Dana Tamir, director of enterprise security at Trusteer, noted in a blog post.
ZeuS.Maple uses a clever technique to make the executable file it drops on infected systems more difficult to identify. Unlike previous versions, which generated a random name for the executable, the name of the file created by this variant is a combination between the name of the AppData directory to which the file is dropped and a hard-coded string, like “win.” For example, if the file is dropped in the appdataroamingmicrosoft directory, the name that’s generated is “winmicrosoft.exe.”
In order to prevent researchers from debugging the malware, it’s authors use a unique packer written in Visual Basic to make analysis more difficult. Another anti-debugging system integrated into ZeuS.Maple verifies the values of two known Windows flags, namely PEB!IsDebuggedFlag and PEB!NtGlobalFlags.
The malware also incorporates some new anti-VM capabilities, but Trusteer says they’re not impressive. The threat checks to see if VMware Tools is installed on the targeted systems, a verification method that can be bypassed by researchers by simply uninstalling the application.
As far as web-injection functionality is concerned, ZeuS.Maple uses browser patching just like previous variants. However, unlike other versions of the Trojan, this one is designed to re-patch the browser to protect its patches.
Trusteer reports that the malware is designed to target the customers of 14 leading Canadian financial institutions. The threat also looks for general e-commerce transactions performed by victims.
On Tuesday, Akamai published a threat advisory through the company’s Prolexic Security Engineering & Response Team (PLXsert) to warn Fortune 500 enterprises of attacks that leverage the ZeuS crimeware framework.
“Zeus is insidious, even in the most secure environments. Users are tricked into running programs that infect their devices, so strict enforcement of organizational security policies and user education can help,” said Stuart Scholly, senior vice president and general manager at Akamai’s Security Business Unit.
“Enterprises are encouraged to develop a rigorous website security profile that includes a web application firewall. This approach can disrupt Zeus communication patterns and help prevent data breaches and file scanning attempts.”
In related news, researchers from RSA have discovered a new banking Trojan for sale in underground forums and marketed as an alternative to the Zeus Trojan. Called Pandemiya, the new Trojan is similar to Zeus in that it allows cyber-criminals to steal form data, login credentials, and files from infected computers, according to RSA’s Fraud Action team. Much like Zeus, Pandemiya also has a modular design, making it easy for cyber-criminals to expand and add functionality, Uri Fleyder, cybercrime research lab manager at the RSA Research Group, told SecurityWeek.