Evolving Zeus malware used in targeted email attacks

Evolving Zeus malware used in targeted email attacks

Summary: New strains of the malevolent Zeus malware have been discovered using the Windows 'PIF' file extension to steal information from compromised computer systems.

SHARE:
TOPICS: Security, Malware
11
credit cnet
Credit: CNET

Zeus variants that use Windows extensions to steal user data have been discovered in malicious email campaigns.

Security researchers at Websense Security Labs have identified Zeus strains that implement information-stealing procedures that appear to be an evolution of the coding used in previous Zeus variants. The emerging variants, tracked over several months, are being used in new low-volume email campaigns that target users' financial data. The Zeus variants in the campaign appear to also be using droppers that employ the hidden Windows "PIF" (Program Information Files) file extension — an extension the researchers say was often associated with viruses in the past and appears to be making a comeback.

The Websense ThreatSeeker Intelligence Cloud has been tracking the campaign, which appears in short bursts, for several months. Specifically, these strains of the banking Trojan have been seen to "persistently evolve and adapt their methods to implement information stealing procedures," and are believed to be a direct evolution of a previous variant called "Zberp."

The Zberp Trojan, believed to have been assembled from the source code of Zeus and Carberp, allows cybercriminals to lift information from compromised computers including names, IP, data submitted in HTTP forms and FTP/POP accounts. As well as being able to take screenshots and send them to Command and Control (C&C) centers, the variant also uses evasion techniques inherited from both the Zeus and Carberp Trojans.

The emails used by Zeus PIF often hold subjects used to lure a target to run a file from a URL and according to the team are of good quality; containing no spelling mistakes and convincing imagery. For example, "Payment Confirmation," "eFax message from Fax" and "Failed delivery for package" are used. The email does not contain attachments, but rather a URL link to a .ZIP file which contains the Zeus dropper and the executable PIF file.

PIF files were often used in the past by malicious software due to its hidden nature — even if Windows is configured to show file extensions of known file types — and within this campaign, lures are sent as .PDF files which are actually PIF files, an attempt to deceive a user in case they are able to see the extension.

Screen Shot 2014-07-09 at 11.14.16

Last week, the team monitored the campaign using themes tailored for Canadian targets and in particular, Canadian banks. However, US businesses are also being targeted, as the email examples below show:

  • Email subject: Failed delivery for package #1398402
  • File name: pdf_canpost_RT000961269SG.zip
  • VirusTotal detection rate: 2 percent.
  • ThreatScope analysis: link
  • Email subject: Pending consumer complaint
  • File name: ftc_pdf_complaint.zip
  • VirusTotal detection rate: 11 percent
  • ThreatScope analysis: link
2
3

One interesting point is that these new variants appear to be focused on evading client-side security software that alerts users to "malicious hooks" — where malware inserts procedures aimed to eavesdrop on legitimate processes like browsers. The variants appear to have evolved from hooking procedures used by Zberp, and use changing patterns of infection to try and hoodwink security systems.

After monitoring and stealing data, the Zeus PIF variants communicate with C&C servers using HTTPS in order to transfer stolen data. According to Websense, the C&C servers possessed valid and signed certificates for at least three months from a certification authority known as "Comodo Essential SSL." This, in turn, gives the cyberattacks additional resilience and anonymity.

The security researchers said this variants' connections to the "Zberp" Zeus strain show that the "cat and mouse game" between cyberattackers and detection software is ever continuing. The campaign's actors are attempting to sustain longer periods of "undetected covert activity" using the Zeus bot, and so are continually changing the "DNA" of the bot, as well as using other techniques — including the use of C&C servers that utilize SSL — to sustain their campaigns and steal data for as long as possible.

"Because the Zeus source code was leaked back in 2011, many evolving variants of the bot started to spawn by different cyber-criminal groups," the security team says. "New variants have been given different names, and we believe the list of variants is going to grow. Strains that may at first look quite different, often have the familiar Zeus at their core. Tracking and dissecting the evolution of a malware strain allows us to know exactly the technological challenges that come with it and what is required to stop it."

Topics: Security, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • Bad link on home page

    The title of this article is displayed prominently on your home page, but it links to a different article. I found this one by doing a search. I recommend that you fix the bad link on your home page.
    bmeacham98@...
  • when will people realize

    that windows IS the malware.
    GrabBoyd
    • I guess that's why banks, hospitals and millions of other enterprises

      Still use MS software.
      harry_dyke
      • Appeal to numbers fallacy

        look it up.
        baggins_z
        • Numbers Fallacy?

          Oh, yeah. Really worked for the dinosaurs. Also known as herd mentality, mob rule, mono-cropping, etc. and has been euphemized by such noble-worthy phrases as "go with the flow" and "blowing in the wind" and "trending now". Thoroughly practiced by religious institutions since time immemorial, as well as most all forms of government, corporate and social institutions.
          Ever wonder why facebook took off so fast? Or how 'bout this one?--What is the true root word of 'twitter'? It sure as h3ll isn't 'tweet'.

          SPLF
          spixleatedlifeform
    • GrabBoyd: "windows IS the malware"

      Zeus malware also exists for Android:

      "A short overview of Android banking malware"
      http://www.net-security.org/malware_news.php?id=2595

      The article also mentions SpyEye and Citadel banking malware for Android.

      Long story short, the malware miscreants like popular, open platforms like Windows and Android.
      Rabid Howler Monkey
    • Good Call!

      Bill Gates is the most brilliant man ever to live: He managed to hoodwink the vast majority of computer users into using an OS which virtually begs hackers to hijack it.
      daniel1948x
  • No wonder they're getting infected.

    The research team, according to those screen grabs, is using XP and Outlook Express. Anyway, Windows should be patched by MS to not run PIF files, since they have no legitimate use anymore.
    harry_dyke
    • .pif files

      So you're implying that the newer version are immune to .pif social engineering?
      1st Social Engineering is very effective regardless of OS, nobody is immune, not Linux not Mac not Windows variants
      2nd .pif file extension are executable which will work in _ALL_ versions of windows, not just XP, hence this attack can even affect Vista, Win7 and Win8

      I bet you're one of those who predicted the XP apocalypse, when I am still in XP up to this day. No re-install since 2008 when I got infected, when I forgot to remove a USB drive before a re-boot which disabled my AV and I detected something is wrong (I got infected that time but I know any versions of windows could've been infected too).
      Martmarty
    • harry_dyke: "Windows should be patched by MS to not run PIF files"

      Windows users can prevent their systems from running PIF files, and many other executable file types, themselves:

      o Users of Windows business editions can enable Software Restriction Policy via gpedit.msc
      o Users of Windows Home editions can transparently create software restriction policies by downloading and installing CryptoPrevent free (I believe that it protects against PIF files)
      Rabid Howler Monkey
  • People are morons.

    It boggles my mind that in 2014 people are still stupid enough to click on links in emails, and to download and open files because an email tells them that some agency needs them to fill out a form, or some unknown person has sent them a fax, or whatever.

    And people like that are allowed to vote!!!
    daniel1948x