Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Zeus Variant Targeting Online Banking Users in Canada

A new version of the ZeuS malware has been used since January 2014 to target online banking users in Canada, security researchers from Trusteer reported on Monday.

A new version of the ZeuS malware has been used since January 2014 to target online banking users in Canada, security researchers from Trusteer reported on Monday.

The new variant of the Trojan, dubbed ZeuS.Maple, has actually been designated by the malware authors as version 3.3.6.0. Experts say ZeuS.Maple is actually a heavily modified version of ZeuS 2.0.8.9 that brings improvements to existing capabilities, but it doesn’t add any new functionality.

“It implements unique browser re-patching techniques, an alternative naming generation algorithm, different anti-debugging and new anti-VM capabilities. It uses an encrypted configuration stored in the Windows registry, and in order to remain stealthy, ZeuS.Maple distribution in the wild is limited and controlled,” Dana Tamir, director of enterprise security at Trusteer, noted in a blog post.

ZeuS.Maple uses a clever technique to make the executable file it drops on infected systems more difficult to identify. Unlike previous versions, which generated a random name for the executable, the name of the file created by this variant is a combination between the name of the AppData directory to which the file is dropped and a hard-coded string, like “win.” For example, if the file is dropped in the appdataroamingmicrosoft directory, the name that’s generated is “winmicrosoft.exe.”

In order to prevent researchers from debugging the malware, it’s authors use a unique packer written in Visual Basic to make analysis more difficult. Another anti-debugging system integrated into ZeuS.Maple verifies the values of two known Windows flags, namely PEB!IsDebuggedFlag and PEB!NtGlobalFlags.

The malware also incorporates some new anti-VM capabilities, but Trusteer says they’re not impressive. The threat checks to see if VMware Tools is installed on the targeted systems, a verification method that can be bypassed by researchers by simply uninstalling the application.

As far as web-injection functionality is concerned, ZeuS.Maple uses browser patching just like previous variants. However, unlike other versions of the Trojan, this one is designed to re-patch the browser to protect its patches.

Trusteer reports that the malware is designed to target the customers of 14 leading Canadian financial institutions. The threat also looks for general e-commerce transactions performed by victims.

On Tuesday, Akamai published a threat advisory through the company’s Prolexic Security Engineering & Response Team (PLXsert) to warn Fortune 500 enterprises of attacks that leverage the ZeuS crimeware framework.

“Zeus is insidious, even in the most secure environments. Users are tricked into running programs that infect their devices, so strict enforcement of organizational security policies and user education can help,” said Stuart Scholly, senior vice president and general manager at Akamai’s Security Business Unit.

“Enterprises are encouraged to develop a rigorous website security profile that includes a web application firewall. This approach can disrupt Zeus communication patterns and help prevent data breaches and file scanning attempts.”

In related news, researchers from RSA have discovered a new banking Trojan for sale in underground forums and marketed as an alternative to the Zeus Trojan. Called Pandemiya, the new Trojan is similar to Zeus in that it allows cyber-criminals to steal form data, login credentials, and files from infected computers, according to RSA’s Fraud Action team. Much like Zeus, Pandemiya also has a modular design, making it easy for cyber-criminals to expand and add functionality, Uri Fleyder, cybercrime research lab manager at the RSA Research Group, told SecurityWeek.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.