Malware researchers at SentinelOne have spotted a new Zeus variant that was used to target major Canadian banks, including the National Bank of Canada, the Bank of Montreal and the Royal Bank of Canada.
The researcher Anton Ziukin explained that also this variant of Zeus relies on Web injection mechanisms to create pages used by threat actors to steal victim’s banking credentials and other personal information that could be offered for sale in the underground market. In the specific case, the malware displays victims a phishing page that reproduces the login form for their online banking services.
“This attack continues a growing trend in banking malware that goes beyond simply targeting the victim’s login credentials (i.e. their username and password) and injects pages to steal a wealth of personal information including answers to security questions, debit and credit card numbers, social security number, driver license number and more. While some of this information can be used to commit online banking fraud, the other personal data can be used for different crimes including healthcare fraud, opening credit accounts in victim’s names, etc. It could even be used in spear phishing attacks to target individuals within enterprises and government agencies in order to breach secure networks.” Ziukin reports in a blog post.
The phishing page proposed by the new Zeus variant also instructed victims to provide their personal data, including ATM PIN, and credit/debit card details, social insurance number and date of birth.
This new strain of Zeus malware is not detected by several antivirus, besides it also bypasses SSL browser security because the malicious code is installed on the endpoint and relies on Man-In-The-Browser technique to direct inject its web content in the victim’s browser.
“Since the malware is installed on the endpoint device it can inject fake webpages into the browser without breaking the SSL connection to the bank’s server and generating a security alert. Predictive execution technology that monitors activity on the endpoint device is the only way to detect and block these attacks, and protect personal information from getting into the hands of criminals.” continues the post.
The experts accessed the control panel of the new Zeus botnet noting its high level of sophistication. The control panel includes detailed information on each of the compromised bank accounts, in fact it reports balance, login status, and Web browser used by the victim.
The panel also includes a “Drop” form used to customize the attacks, for example, cyber criminals can specify the destination bank account to transfer stolen funds and the percentage to release the money Mule before transferring the balance to the attacker.
“This glimpse into the criminal underground demonstrates the sophistication of the tools being used by criminal gangs to conduct banking and other forms of online fraud. Building, executing and monetizing advanced attacks is easier and more affordable than ever before,” SentinelOne’s Anton Ziukin said in a blog post.
It is even more simple for cyber criminals to arrange scams and conduct illegal activities thanks the offer in the cyber criminal ecosystem, for example recently researchers at IBM Trusteer discovered a new toolkit dubbed KL-Remote that allows criminals to run Remote Overlay Attacks without specific skills.
Stay Tuned …
(Security Affairs – online banking, Zeus)