A new threat created by the amalgamation of the publicly available code of two of the most (in)famous malware around is targeting users of over 450 financial institutions around the world, warn Trusteer researchers. Currently the most targeted are users in the US, Australia, and the UK.
The creators of Zberp – as the researchers dubbed the threat – have used the leaked source code of both the Zeus/Zbot and Carberp banking Trojans.
The Zeus/Zbot malware needs no introduction, as it’s been the top banking Trojan for a few years now. The Carberp Trojan is a complex piece of malware that is capable not only of stealing sensitive information, but also of modifying a computer’s hard drive’s master boot record (MBR) in order to avoid being detected by antivirus software present on the targeted machine.
This new “hybrid beast” allows those who wield it to collect basic system information, take screenshots, steal data submitted in HTTP forms, user SSL certificates, and FTP and POP account credentials. And the malware is apparently also capable of performing Web injections, MITM and MITB attacks, and initiating remote desktop connections .
It’s hybrid nature is best witnessed in the way it evades detection: by deleting and rewriting the registry key that allows it to persist on the system so that it wouldn’t be spotted by AV solutions after the system is booted; by hiding its configuration code in an image file; by “hooking” into the browser to get control of it, but also to evade AV software; and by securing the communication channel through which it contacts its C&C.
This is not the first time that malware developers used Carberp’s code to create a new threat – late last year, the first ever information-stealing Trojan targeting SAP enterprise software was also partly based on it.