Experts found a strain of the Zeus banking Trojan spread through a legitimate developer’s website

Malware researchers at Talos group have discovered a strain of Zeus banking Trojan that abuses the legitimate website of the Ukraine-based accounting software developer Crystal Finance Millennium (CFM).

The experts discovered that the version of the ZeuS banking Trojan used in this attack is the 2.0.8.9 that was leaked in 2011.

The attack occurred in August 2017, during the time frame associated with the observance of the Independence Day holiday in Ukraine, but researchers from Talos disclosed details of the attack online now.

Experts found many similarities with the attack vector used in the NotPetya case, hackers. While in the NotPetya attack hackers compromised the supply chain of the software fir M.E.Doc to distribute the malware, in the case of the Zeus banking Trojan threat actors relied on accounting software maker CFM’s website being used to distribute malware fetched by downloaders delivered as attachments in an email spam campaign.

Researchers from Talos were able to register and sinkhole one of the Command and Control (C2) domains used by the attackers, in this way they were able to gather information about the number and the nature of the infected systems.

Attackers used spam emails with a ZIP archive containing a JavaScript file, which was used a downloader. The researchers discovered that one of the domains used to host the malware payload was associated with CFM’s website, attackers used it also to distribute PSCrypt ransomware.

The analysis of the infection process revealed that once executed the malware would first perform a long list of anti-VM checks to determine whether it runs in a virtualized environment. If not, the malicious code achieves persistence by creating a registry entry to ensure execution at system startup.

Then the malware attempts to connect to several C&C servers and experts from Talos discovered that one of them was not registered at the time of the analysis … a gift for the researchers that used it to sinkhole the botnet.

Most of the infected systems were located in Ukraine, followed by the United States.

“Interestingly, most of the systems which beaconed to our sinkhole server were located in Ukraine with United States being the second most affected region. A graph showing the ISPs that were most heavily affected is below:”

“As can be seen in the graph above, PJSC Ukrtelecom was by far the most heavily affected. This ISP is the company governed by the Ministry of Transportation and Communications in Ukraine. In total, our sinkhole logged 11,925,626 beacons from 3,165 unique IP address” states the analysis from Talos.

According to Talos hackers are refining their attack techniques and are increasingly attempting to abuse the trust relationship between organizations and their trusted software manufacturers.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Zeus Banking Trojan, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]