Categories: Cyber CrimeMalware

News Zeus shows significant a evolution in the criminal ecosystem

Researchers at SentinelOne have discovered a strain of the Zeus malware that includes a very sophisticated control panel and evasion techniques.

Malware researchers at SentinelOne  have spotted a new Zeus variant that was used to target major Canadian banks, including the National Bank of Canada, the Bank of Montreal and the Royal Bank of Canada.

The researcher Anton Ziukin explained that also this variant of Zeus relies on Web injection mechanisms to create pages used by threat actors to steal victim’s banking credentials and other personal information that could be offered for sale in the underground market. In the specific case, the malware displays victims a phishing page that reproduces the login form for their online banking services.

“This attack continues a growing trend in banking malware that goes beyond simply targeting the victim’s login credentials (i.e. their username and password) and injects pages to steal a wealth of personal information including answers to security questions, debit and credit card numbers, social security number, driver license number and more. While some of this information can be used to commit online banking fraud, the other personal data can be used for different crimes including healthcare fraud, opening credit accounts in victim’s names, etc. It could even be used in spear phishing attacks to target individuals within enterprises and government agencies in order to breach secure networks.” Ziukin reports in a blog post.

The phishing page proposed by the new Zeus variant also instructed victims to provide their personal data, including ATM PIN, and credit/debit card details, social insurance number and date of birth.

This new strain of Zeus malware is not detected by several antivirus, besides it also bypasses SSL browser security because the malicious code is installed on the endpoint and relies on Man-In-The-Browser technique to direct inject its web content in the victim’s browser.

“Since the malware is installed on the endpoint device it can inject fake webpages into the browser without breaking the SSL connection to the bank’s server and generating a security alert. Predictive execution technology that monitors activity on the endpoint device is the only way to detect and block these attacks, and protect personal information from getting into the hands of criminals.” continues the post.

The experts accessed the control panel of the new Zeus botnet noting its high level of sophistication. The control panel includes detailed information on each of the compromised bank accounts, in fact it reports balance, login status, and Web browser used by the victim.

The panel also includes a “Drop” form used to customize the attacks, for example, cyber criminals can specify the destination bank account to transfer stolen funds and the percentage to release the money Mule before transferring the balance to the attacker.

“This glimpse into the criminal underground demonstrates the sophistication of the tools being used by criminal gangs to conduct banking and other forms of online fraud. Building, executing and monetizing advanced attacks is easier and more affordable than ever before,” SentinelOne’s Anton Ziukin said in a blog post.

It is even more simple for cyber criminals to arrange scams and conduct illegal activities thanks the offer in the cyber criminal ecosystem, for example recently researchers at IBM Trusteer discovered a new toolkit dubbed KL-Remote that allows criminals to run Remote Overlay Attacks without specific skills.

Stay Tuned …

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – online banking, Zeus)

[adrotate banner=”5″]

[adrotate banner=”13″]

 

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

12 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

19 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.