New variant of Zeus banking trojan concealed in JPG images

Share this article:
Operators again revive Pushdo botnet, use a popular tactic to stay hidden
A new variant of the nefarious Zeus banking trojan is concealed in JPG image files.

A new variant of the nefarious Zeus banking trojan – dubbed ZeusVM – is concealed in JPG image files, according to the collaborative findings of Jerome Segura, senior security researcher with Malwarebytes, and French security researcher Xylitol.  

The act is known as steganography – concealing messages or images in other messages or images.

In the case of ZeusVM, the malware's code is hidden in unassuming JPG images, a Monday blog post by Segura revealed. These photos serve as misdirection for ZeusVM to retrieve its configuration file.

“The JPG contains the malware configuration file, which is essentially a list of scripts and financial institutions - but doesn't need to be opened by the victim themselves,” Segura told SCMagazine.com in a Tuesday email correspondence. “In fact, the JPG itself has very little visibility to the user and is largely a cloaking technique to ensure it is undetected from a security software standpoint.”

Being infected by ZeusVM trojan allows for man-in-the-middle and man-in-the-browser attacks, Segura said, adding that visiting certain URLs, such as banking websites, will cause the trojan to respond and begin interacting in real-time.

This means attackers can obtain certain information by altering a login page using webinjects, or they could perform wire transfers while altering the victim's account balance to make it seem like funds were never moved, Segura said.

Meanwhile, the ZeusVM main executable, buried deep within the computer, is communicating with the command-and-control server, Segura said, adding it reactivates every time the system reboots.

“This piece of malware can be distributed in many different ways, but most typically through phishing emails or a web-based attack,” Segura said, explaining the malware could also be spread via malvertising, which involves websites hosting ads that spread malware.

To show the difference between an original image and a compromised image, Segura, in his blog post, placed two seemingly identical JPGs side by side. When viewed in bitmap mode and in hexadecimal viewer, the added bits of malicious code were noticeable.

“To make identification more difficult, the appended data is encrypted with Base64, RC4 and XOR,” Segura wrote in the post. “To decode it you can reverse the file with a debugger such as OllyDbg and grab the decryption routine. Alternatively, you can use the leaked Zeus source code to create your own module that will decompress the data blocks.”

Share this article:

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.