Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Researchers Discover 64-bit Bit Version of ZeuS Trojan Enhanced with Tor

Researchers from Kaspersky Lab have discovered what they say is milestone in the evolution of the Zeus banking Trojan: a 64-bit version of Zeus that communicates with its command and control servers over the Tor anonymity network.

Researchers from Kaspersky Lab have discovered what they say is milestone in the evolution of the Zeus banking Trojan: a 64-bit version of Zeus that communicates with its command and control servers over the Tor anonymity network.

Interestingly, the 64-bit version of the popular banking malware was found “tucked inside of a 32-bit version,” according to the security firm.

What’s also interesting is that cybercriminals don’t actually need a 64-bit version to be successful in the vast majority of their attacks, as most people still use 32-bit Web browsers, even on 64-bit operating systems.

ZeuS 64-Bit Malware Found“ZeuS is mostly intended to intercept data passing through browsers, and modify that data allowing the operator to steal information related to online banking, to wire transactions or to cover his tracks,” Kaspersky Lab expert Dmitry Tarakanov noted in a blog post. “So, 32-bit versions of ZeuS have been sufficient to keep the thieves satisfied with their earnings.”

While fraudsters may not need this latest version in their aresenal just yet, the discovery clearly shows that continued development of the popular banking malware is alive and well, and innovation continues.

“Whatever the intentions were of the malware author that created this piece of ZeuS – be it a marketing ploy or the groundwork for some future needs – a pure 64-bit ZeuS does finally exist, and we can conclude that a new milestone in the evolution of ZeuS has been reached,” Tarakanov continued. “Moreover, this sample has revealed that another distinct feature has been added to ZeuS functionality – ZeuS malware has the ability to work on its own via the Tor network with onion CnC domains, meaning it now joins an exclusive group of malware families with this capability.”

The 64-bit version of ZeuS behaves like any other ZeuS-based malware, Tarakanov explained, and drops its files in folders with randomly generated names in the %APPDATA% directory.

According to Tarakanov, the configuration file for this version of ZeuS includes an extensive list of programs that the malware can target with its data-stealing capabilities.

While this latest ZeuS discovery leverages Tor to hide its communications with its C&C server, leveraging Tor is not a completely new feature for the popular banking malware. In fact, Kaspersky Lab has tracked ZeuS samples with signs of Tor communications dating back to 2012.

The full report with additional details on the malware can be found on Kasperky Lab’s Securelist

Related: Researchers Discover Botnet Powered by TOR

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.