Security researchers at Websense Labs have warned Internet users to be vigilant of a new Trojan malware that derives its information-stealing technique from Zeus. The malicious strain of Zeus variants is found to be targeting the financial data of its users by manipulating Windows extensions.
After several months of monitoring the malware’s activity, the researchers concluded that the attackers have been using the Zeus variants in email campaigns targeted in small volumes against customers of financial institutions. According to Websense’s findings, droppers were instrumental in the Zeus variants, using hidden Windows Program Information Files extension that has been known to be the companion of viruses in the recent history of malware landscape.
Furthermore, the researchers discovered that the banking Trojan derived its attributes from the Zberp, a combination of Zeus and Carberp, two of the largest malware that has been assailing the financial industry. The attacks come in many forms and adapt their methods of stealing information as anti-malware products implement new updates.
It has been known that hackers have been using Zberp to exploit computer systems and steal data from compromised machines. Most often, these pieces of information include names, IP address and other data that users submit through an HTTP connection, which lacks the security of encryption. What’s more, the variant operates by capturing screen shots of private financial transactions and transmitting the snaps to command and control servers of cyber criminals. The most alarming part of the cybercrime is the capacity of the Zeus variant to hide itself from the radar of anti-malware scanners.
In most cases, targeted victims were lured into running a file from a URL contained in an email message addressed to them. These email contents are also tricky because they appear legitimate in almost every aspect, from how they were formulated to the spelling and grammar. There are no attachments of dubious nature, so the technique of defrauding victims is equally adept at targeting individuals who would otherwise think that suspicious attachments may contain malware or could compromise their computers when opened.
PIF files are not something new to our ears, however. Hackers in the past had also employed this method because of the secretive mode of operation of the malware. It does not matter whether your Windows configuration is set such that file extensions of any file types are to be revealed.
The Zeus PIF variants transmit stolen data to command and control servers through an HTTPS connection, with valid signature from the Comodo Essential SSL certification authority. So it appears that hackers have found a way to paint legitimacy to their malicious activity.