A new Trojan based on the infamous Zeus banking Trojan has been discovered, and is targeting over 150 banks and 20 payment systems in 15 countries, with 43 banks in the UK alone under threat.
This is according to antivirus company Kaspersky Lab, which has intentified the new infection as Trojan-Banker.Win32.Chthonic.
Chthonic is “apparently an evolution of ZeusVM, although it has undergone a number of significant changes,” explain Kaspersky’s Yury Namestnikob, Vladimir Kuskov and Oleg Kupreev in a blog.
“Chthonic uses the same encryptor as Andromeda bots, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware,” explained the blog.
Kaspersky has so far detected two main methods of Chthonic transmission. First is by the sending of emails that contain the exploit in a “specially crafted” RTF document that is specially designed to exploit Microsoft Office’s ongoing CVE-2014-1761 vulnerability, which allows attackers to execute code as long as the recipient opens the file. The RTF’s file extension is changed to .DOC to make it look less suspicious.
Chthonic can also be forcibly downloaded to victim machines by a remote attacker using the Andromeda bot, if a user is already infected with this Trojan, which is primarily designed to open the door to more.
Andromeda places the Chthonic code into Windows’ msiexec.exe – the System32 file that interprets packages and installs products.
Kaspersky has noted that of the 150 targeted banks, 43 are in the UK, with 36 in Spain and 13 in Italy. The US has had 35 banks targeted, while Russia has 22 and Japan 18.
“In spite of the large number of targets on the list, many code fragments used by the Trojan to perform web injections can no longer be used,” says the blog.
“Because banks have changed the structure of their pages and, in some cases, the domains as well. It should also be noted that we saw some of these fragments in other bots’ config files (e.g., Zeus V2) a few years back.”
However, Kaspersky also warns that Zeus – variations of which have been doing the rounds for several years – will continue to evolve.
“Its new implementations take advantage of cutting-edge techniques developed by malware writers. This is significantly helped by the Zeus source code having been leaked,” said Kaspersky.
“As a result, it has become a kind of framework for malware writers, which can be used by anyone and can easily be adapted to cybercriminals’ new needs. The new Trojan – Chthonic – is the next stage in the evolution of Zeus: it uses Zeus AES encryption, a virtual machine similar to that used by ZeusVM and KINS, and the Andromeda downloader.”