14 DAY TRIAL // A new variant for ZeuS Trojan targeting mainly customers of the leading 14 financial institutions in Canada has been detected recently by the Trusteer security research team.
Dubbed ZeuS.Maple (version ID is 3.3.6.0), the threat appears to be a heavily modified version of ZeuS 2.0.8.9 that does not integrate new capabilities but includes enhancements of already known functionality.
According to the security firm, ZeuS.Maple is the only variant of the Trojan that can re-patch the web browser with a specific function in order to maintain the information stealing capabilities via web-injection.
According to Trusteer researchers, unlike earlier instances of the Trojan, the name of the dropped executable file in this case relies on a more sophisticated algorithm that “enumerates the %APPDATA% directory and chooses an existing folder for its dropped executable location.”
The resulting name is a combination of the folder and a hard-coded string. Making the threat look like a legitimate file increases its stealth.
ZeuS.Maple also comes with increased resistance to reverse-engineering, by using a unique packer written in Visual Basic, of which the security company says that is “notoriously complex to debug and makes analysis more difficult.”
Another difference from most ZeuS variants is upping the ante as far as the encryption algorithm is concerned. In this case, the developer implemented AES-128 in favor of the weaker RC4 one.
Trusteer also offers details about the command and control communication, which, at a first glance, seems to indicate that the server is located in India; a closer look, though, reveals that the commands originate from Russia.
Despite the source code being leaked in 2011, ZeuS continues to offer malware authors plenty of motivation to improve the Trojan with each new variant they spew into the wild.
Designed mostly to steal sensitive information such as banking details, it can also capture online credentials and other types of user-related data.
The threat and its variants are generally distributed through spam campaigns that lure the user to infected pages, but other attack vectors such as an email attachment.
One of the most recent threats based on ZeuS code is GameOver ZeuS, which infected more than 500,000 Windows computers and turned them into a huge botnet. The cybercriminals used the network of compromised systems in distributed-denial-of-service (DdoS) attacks in order to divert attention from the financial theft.
Currently, GameOver ZeuS is no longer controlled by the criminals and users are advised to run disinfection routines on their computers.