Zeus variant 'Maple' targets financial data of Canadian users

Share this article:

A new Zeus variant called “Maple” improves upon a number of malicious capabilities familiar to fraudsters wielding the trojan.

According to Trusteer, an IBM company, criminals have targeted 14 leading financial institutions in Canada with the malware since January. The name “Maple” is a reference to the red maple leaf on the Canadian flag.

On Monday, Dana Tamir, director of enterprise security at Trusteer, wrote about the threat on IBM's Security Intelligence blog.  

Among Maple's enhanced features are “re-patching” techniques, which restore web-injection functionalities (for stealing financial data from web browser sessions) even after security solutions detect the malware.

In addition, the Maple variant was designed with anti-debugging features – using a packer written in Visual Basic, a programming language “notoriously complex to debug [that] makes the analysis more difficult,” Tamir's post said.

In order to check the malware in debug mode, researchers are forced to jump through other hoops, Tamir added.

“In addition, to prevent malware researchers from debugging the malware, ZeuS.Maple checks the value of two known Windows flags: PEB!IsDebuggedFlag and PEB!NtGlobalFlags. The code section that checks the flag value seems to be absent at first glance, but ZeuS.Maple unpacks this code section right before it uses it,” she wrote.

In a Wednesday follow up interview with SCMagazine.com, Tamir further explained the anti-debugging features available to saboteurs.

“If [the two Windows flags] are not raised you can't get into debug mode,” Tamir said. “You have to crack that in order to get into a mode that allows you to research the malware. They are putting in hurdles specifically designed to keep malware researchers from looking at what the malware is actually doing.”

While Trusteer did not analyze how Maple was being delivered to Windows users, criminals often opt to spread the banking trojan via drive-by download or phishing emails, Tamir said.

The new Maple variant also takes up other malicious feats, including encrypting its malware configuration (which is stored in the Windows Registry) with AES-128. The malware also attempts to make the malicious executable appear legitimate to security scanners, by obscuring it in a new Windows installation path.

“The ZeuS.Maple variant provides an interesting example of new and improved methods used by malware developers to bypass automated security controls as well as human malware researchers,” Tamir wrote in her blog post.”We expect this trend to continue as we find more sophisticated, stealthy variants of Zeus targeting specific geographical regions.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ShellShock vulnerability exploited in SMTP servers

Researchers at Trend Micro found that attackers were targeting Simple Mail Transfer Protocol (SMTP) servers to execute malicious code and an IRC bot.

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.