Zeus variant 'Maple' targets financial data of Canadian users

Share this article:

A new Zeus variant called “Maple” improves upon a number of malicious capabilities familiar to fraudsters wielding the trojan.

According to Trusteer, an IBM company, criminals have targeted 14 leading financial institutions in Canada with the malware since January. The name “Maple” is a reference to the red maple leaf on the Canadian flag.

On Monday, Dana Tamir, director of enterprise security at Trusteer, wrote about the threat on IBM's Security Intelligence blog.  

Among Maple's enhanced features are “re-patching” techniques, which restore web-injection functionalities (for stealing financial data from web browser sessions) even after security solutions detect the malware.

In addition, the Maple variant was designed with anti-debugging features – using a packer written in Visual Basic, a programming language “notoriously complex to debug [that] makes the analysis more difficult,” Tamir's post said.

In order to check the malware in debug mode, researchers are forced to jump through other hoops, Tamir added.

“In addition, to prevent malware researchers from debugging the malware, ZeuS.Maple checks the value of two known Windows flags: PEB!IsDebuggedFlag and PEB!NtGlobalFlags. The code section that checks the flag value seems to be absent at first glance, but ZeuS.Maple unpacks this code section right before it uses it,” she wrote.

In a Wednesday follow up interview with SCMagazine.com, Tamir further explained the anti-debugging features available to saboteurs.

“If [the two Windows flags] are not raised you can't get into debug mode,” Tamir said. “You have to crack that in order to get into a mode that allows you to research the malware. They are putting in hurdles specifically designed to keep malware researchers from looking at what the malware is actually doing.”

While Trusteer did not analyze how Maple was being delivered to Windows users, criminals often opt to spread the banking trojan via drive-by download or phishing emails, Tamir said.

The new Maple variant also takes up other malicious feats, including encrypting its malware configuration (which is stored in the Windows Registry) with AES-128. The malware also attempts to make the malicious executable appear legitimate to security scanners, by obscuring it in a new Windows installation path.

“The ZeuS.Maple variant provides an interesting example of new and improved methods used by malware developers to bypass automated security controls as well as human malware researchers,” Tamir wrote in her blog post.”We expect this trend to continue as we find more sophisticated, stealthy variants of Zeus targeting specific geographical regions.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

LEADS Act addresses gov't procedure for requesting data stored abroad

LEADS Act addresses gov't procedure for requesting data ...

Senators introduced the legislation last week as a means of amending the Electronic Communications Privacy Act (ECPA).

Report: Intrustion prevention systems made a comeback in 2013

Report: Intrustion prevention systems made a comeback in ...

A new report indicates that intrusion prevention systems grew 4.2 percent in 2013, with growth predicted to continue.

Mobile device security sacrificed for productivity, study says

Mobile device security sacrificed for productivity, study says

A Ponemon Institute study, sponsored by Raytheon, revealed that employees increasingly use mobile devices for work but cut corners and circumvent security.