Evolving Zeus malware used in targeted email attacks

Zeus variants that use Windows extensions to steal user data have been discovered in malicious email campaigns.

Security researchers at Websense Security Labs have identified Zeus strains that implement information-stealing procedures that appear to be an evolution of the coding used in previous Zeus variants. The emerging variants, tracked over several months, are being used in new low-volume email campaigns that target users' financial data. The Zeus variants in the campaign appear to also be using droppers that employ the hidden Windows "PIF" (Program Information Files) file extension — an extension the researchers say was often associated with viruses in the past and appears to be making a comeback.

The Websense ThreatSeeker Intelligence Cloud has been tracking the campaign, which appears in short bursts, for several months. Specifically, these strains of the banking Trojan have been seen to "persistently evolve and adapt their methods to implement information stealing procedures," and are believed to be a direct evolution of a previous variant called "Zberp."

The Zberp Trojan, believed to have been assembled from the source code of Zeus and Carberp, allows cybercriminals to lift information from compromised computers including names, IP, data submitted in HTTP forms and FTP/POP accounts. As well as being able to take screenshots and send them to Command and Control (C&C) centers, the variant also uses evasion techniques inherited from both the Zeus and Carberp Trojans.

The emails used by Zeus PIF often hold subjects used to lure a target to run a file from a URL and according to the team are of good quality; containing no spelling mistakes and convincing imagery. For example, "Payment Confirmation," "eFax message from Fax" and "Failed delivery for package" are used. The email does not contain attachments, but rather a URL link to a .ZIP file which contains the Zeus dropper and the executable PIF file.

PIF files were often used in the past by malicious software due to its hidden nature — even if Windows is configured to show file extensions of known file types — and within this campaign, lures are sent as .PDF files which are actually PIF files, an attempt to deceive a user in case they are able to see the extension.

Last week, the team monitored the campaign using themes tailored for Canadian targets and in particular, Canadian banks. However, US businesses are also being targeted, as the email examples below show:

• Email subject: Failed delivery for package #1398402
• File name: pdf_canpost_RT000961269SG.zip
• VirusTotal detection rate: 2 percent.
• ThreatScope analysis: link

• Email subject: Pending consumer complaint
• File name: ftc_pdf_complaint.zip
• VirusTotal detection rate: 11 percent
• ThreatScope analysis: link

One interesting point is that these new variants appear to be focused on evading client-side security software that alerts users to "malicious hooks" — where malware inserts procedures aimed to eavesdrop on legitimate processes like browsers. The variants appear to have evolved from hooking procedures used by Zberp, and use changing patterns of infection to try and hoodwink security systems.

After monitoring and stealing data, the Zeus PIF variants communicate with C&C servers using HTTPS in order to transfer stolen data. According to Websense, the C&C servers possessed valid and signed certificates for at least three months from a certification authority known as "Comodo Essential SSL." This, in turn, gives the cyberattacks additional resilience and anonymity.

The security researchers said this variants' connections to the "Zberp" Zeus strain show that the "cat and mouse game" between cyberattackers and detection software is ever continuing. The campaign's actors are attempting to sustain longer periods of "undetected covert activity" using the Zeus bot, and so are continually changing the "DNA" of the bot, as well as using other techniques — including the use of C&C servers that utilize SSL — to sustain their campaigns and steal data for as long as possible.

"Because the Zeus source code was leaked back in 2011, many evolving variants of the bot started to spawn by different cyber-criminal groups," the security team says. "New variants have been given different names, and we believe the list of variants is going to grow. Strains that may at first look quite different, often have the familiar Zeus at their core. Tracking and dissecting the evolution of a malware strain allows us to know exactly the technological challenges that come with it and what is required to stop it."