Malware

Experts found a strain of the Zeus banking Trojan spread through a legitimate developer’s website

Malware researchers at Talos group have discovered a strain of Zeus banking Trojan that abuses the legitimate website of the Ukraine-based accounting software developer Crystal Finance Millennium (CFM).

The experts discovered that the version of the ZeuS banking Trojan used in this attack is the 2.0.8.9 that was leaked in 2011.

The attack occurred in August 2017, during the time frame associated with the observance of the Independence Day holiday in Ukraine, but researchers from Talos disclosed details of the attack online now.

Experts found many similarities with the attack vector used in the NotPetya case, hackers. While in the NotPetya attack hackers compromised the supply chain of the software fir M.E.Doc to distribute the malware, in the case of the Zeus banking Trojan threat actors relied on accounting software maker CFM’s website being used to distribute malware fetched by downloaders delivered as attachments in an email spam campaign.

Researchers from Talos were able to register and sinkhole one of the Command and Control (C2) domains used by the attackers, in this way they were able to gather information about the number and the nature of the infected systems.

Attackers used spam emails with a ZIP archive containing a JavaScript file, which was used a downloader. The researchers discovered that one of the domains used to host the malware payload was associated with CFM’s website, attackers used it also to distribute PSCrypt ransomware.

The analysis of the infection process revealed that once executed the malware would first perform a long list of anti-VM checks to determine whether it runs in a virtualized environment. If not, the malicious code achieves persistence by creating a registry entry to ensure execution at system startup.

Then the malware attempts to connect to several C&C servers and experts from Talos discovered that one of them was not registered at the time of the analysis … a gift for the researchers that used it to sinkhole the botnet.

Most of the infected systems were located in Ukraine, followed by the United States.

“Interestingly, most of the systems which beaconed to our sinkhole server were located in Ukraine with United States being the second most affected region. A graph showing the ISPs that were most heavily affected is below:”

“As can be seen in the graph above, PJSC Ukrtelecom was by far the most heavily affected. This ISP is the company governed by the Ministry of Transportation and Communications in Ukraine. In total, our sinkhole logged 11,925,626 beacons from 3,165 unique IP address” states the analysis from Talos.

According to Talos hackers are refining their attack techniques and are increasingly attempting to abuse the trust relationship between organizations and their trusted software manufacturers.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Zeus Banking Trojan, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

4 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

15 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

19 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.