Researchers Discover 64-bit Bit Version of ZeuS Trojan Enhanced with Tor

Researchers from Kaspersky Lab have discovered what they say is milestone in the evolution of the Zeus banking Trojan: a 64-bit version of Zeus that communicates with its command and control servers over the Tor anonymity network.

Interestingly, the 64-bit version of the popular banking malware was found “tucked inside of a 32-bit version,” according to the security firm.

What’s also interesting is that cybercriminals don’t actually need a 64-bit version to be successful in the vast majority of their attacks, as most people still use 32-bit Web browsers, even on 64-bit operating systems.

“ZeuS is mostly intended to intercept data passing through browsers, and modify that data allowing the operator to steal information related to online banking, to wire transactions or to cover his tracks,” Kaspersky Lab expert Dmitry Tarakanov noted in a blog post. “So, 32-bit versions of ZeuS have been sufficient to keep the thieves satisfied with their earnings.”

While fraudsters may not need this latest version in their aresenal just yet, the discovery clearly shows that continued development of the popular banking malware is alive and well, and innovation continues.

“Whatever the intentions were of the malware author that created this piece of ZeuS – be it a marketing ploy or the groundwork for some future needs – a pure 64-bit ZeuS does finally exist, and we can conclude that a new milestone in the evolution of ZeuS has been reached,” Tarakanov continued. “Moreover, this sample has revealed that another distinct feature has been added to ZeuS functionality – ZeuS malware has the ability to work on its own via the Tor network with onion CnC domains, meaning it now joins an exclusive group of malware families with this capability.”

The 64-bit version of ZeuS behaves like any other ZeuS-based malware, Tarakanov explained, and drops its files in folders with randomly generated names in the %APPDATA% directory.

According to Tarakanov, the configuration file for this version of ZeuS includes an extensive list of programs that the malware can target with its data-stealing capabilities.

While this latest ZeuS discovery leverages Tor to hide its communications with its C&C server, leveraging Tor is not a completely new feature for the popular banking malware. In fact, Kaspersky Lab has tracked ZeuS samples with signs of Tor communications dating back to 2012.

The full report with additional details on the malware can be found on Kasperky Lab’s Securelist. 

Related: Researchers Discover Botnet Powered by TOR