New Zeus variant targets users of 150 banks

A new variant of the infamous Zeus banking and information-stealing Trojan has been created to target the users of over 150 different banks and 20 payment systems in 15 countries, including the UK, the US, Russia, Spain and Japan.

Chthonic, as the variant has been named by Kaspersky Lab researchers, shares a lot of similarities with previous Zeus variants.

“Chthonic uses the same encryptor as Andromeda bots, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware,” they explained in a blog post. The main change in the code is a new technique for loading modules.

Delivered via spam emails or downloaded via downloader malware already installed on the victims’ machine, once installed Chthonic gets in touch with and identifies itself to a C&C server, from which it receives an extended loader with additional information, modules, a configuration file, etc.:

The malware is capable of collecting system information, stealing saved passwords, logging keystrokes, recording video and sound via the computer’s webcam and microphone, grabbing the contents of online forms, injecting web pages and fake windows, and allows criminals to connect to the infected computer remotely and use it to carry out transactions.

“Web injections are Chthonic’s main weapon: they enable the Trojan to insert its own code and images into the code of pages loaded by the browser. This enables the attackers to obtain the victim’s phone number, one-time passwords and PINs, in addition to the login and password entered by the victim,” the researchers explained.

“Our analysis of attacks against customers of Russian banks has uncovered an unusual web injection scenario. When opening an online banking web page in the browser, the entire contents of the page is spoofed, not just parts of it as in an ordinary attack. From the technical viewpoint, the Trojan creates an iframe with a phishing copy of the website that has the same size as the original window.”

The only good news tied to this particular sample they have analyzed is that many of the code fragments used for web injections don’t work, as some banks have changed the structure of their pages or their domains. Nevertheless, the developers of this particular Zeus variant might soon make the changes necessary to make it work again as planned.