The notorious ZeuS (Zbot) malware is usually utilized to steal sensitive information from infected computers. However, newer versions spotted by experts are capable of doing much more.
A few days ago, RSA experts identified a version of ZeuS that was being utilized in 419 scams. Now, they’ve come across a variant that uses compromised systems to check for availability of Instagram usernames.
Once it lands on a computer, the malware downloads several additional components. The hashes of the threat are changed often to avoid being detected by antivirus solutions, but the size of the file is always the same.
After the additional malicious components are downloaded and installed, ZeuS performs search engine queries, most likely in an effort to promote malicious websites in search engine results.
Then, it starts checking for the availability of Instagram usernames via the social media network’s mobile API.
“For servers and virtual machines running Windows operating systems, Instagram API calls are pushed into Instagram by spoofing User-Agent strings in an attempt to disguise the traffic as a Smartphone running an Android operating system,” RSA senior researcher “Fielder” noted.
The threat is designed to check usernames comprised of a dictionary word followed by a series of four or more random characters.
Experts believe the malware is checking the availability of Instagram usernames in an effort to create an army of fake Instagram users that can later be sold as followers to individuals or organizations that want to boost their popularity.
In addition to checking for usernames, the malware is also capable of automatically liking photos posted on other Instagram accounts.
“The latest Zbot variant appears to be upping its game with new features and functionality. Search engine optimization abuse and Instagram account abuse could just be the beginning,” “Fielder” wrote.