Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

ZeuS Goes Mobile – Targets Online Banking Two Factor Authentication

Over the weekend, researchers from Fortinet and S21cec came across a new mobile malware piece they have named SymbOS/Zitmo.A!tr, or “Zitmo,” standing for “Zeus In The Mobile.” As two-factor authentication methods become more popular, cybercriminals are working hard to keep up and develop technologies that let them further track and capture user credentials. The Zitmo malware was designed to intercept confirmation SMS messages sent by banks to their customers.

Over the weekend, researchers from Fortinet and S21cec came across a new mobile malware piece they have named SymbOS/Zitmo.A!tr, or “Zitmo,” standing for “Zeus In The Mobile.” As two-factor authentication methods become more popular, cybercriminals are working hard to keep up and develop technologies that let them further track and capture user credentials. The Zitmo malware was designed to intercept confirmation SMS messages sent by banks to their customers.

In order to successfully overcome two-factor authentication, the attacker steals login credentials using the traditional ZeuS malware. The attacker also captures the phone number and model of the users mobile device via injection of HTML forms in the victims’ browser. Based on that info, it encourages users to install mobile malware, by sending a SMS with a link to download the appropriate version of the malicious package depending on the type of mobile device the user has.

ZeuS Mobile Malware (Zitmo)

Next, the attacker logs in with the stolen credentials using the user’s computer as a proxy and performs the SMS authentication process. An SMS is sent to the user’s mobile device with the authentication code. The malicious software running on the user’s mobile device forwards the SMS to a system controlled by the attacker.

After analyzing the malware, Fortinet noted that it creates its own database on the mobile device, where it stores all information it steals. This database is named NumbersDB.db, and contains 3 tables:

• tbl_contact with 4 columns: index, name, descr, pb_contact_id.

• tbl_phone_number with 2 columns: contact_id, phone_number

• and tbl_history with 6 columns: event_id, pn_id, date, description, contact_info, contact_id.

The malware searches those tables using standard SQL queries. The malware sends SMS messages. In particular, it sends a message to a phone number located in the United Kingdom to notify that the malware has been successfully installed (”App installed ok”). “27/09/2010″,”12:09″,”Short message”,”Outgoing”,”App installed ok”,”+44778xxxxxxx”

Advertisement. Scroll to continue reading.

Additionally, s21sec warns that the malware appears to have the capability to answer commands, potentially allowing anyone sending a “set admin” SMS to your infected phone may to take control of it.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.