Zeus variant 'Maple' targets financial data of Canadian users

Share this article:

A new Zeus variant called “Maple” improves upon a number of malicious capabilities familiar to fraudsters wielding the trojan.

According to Trusteer, an IBM company, criminals have targeted 14 leading financial institutions in Canada with the malware since January. The name “Maple” is a reference to the red maple leaf on the Canadian flag.

On Monday, Dana Tamir, director of enterprise security at Trusteer, wrote about the threat on IBM's Security Intelligence blog.  

Among Maple's enhanced features are “re-patching” techniques, which restore web-injection functionalities (for stealing financial data from web browser sessions) even after security solutions detect the malware.

In addition, the Maple variant was designed with anti-debugging features – using a packer written in Visual Basic, a programming language “notoriously complex to debug [that] makes the analysis more difficult,” Tamir's post said.

In order to check the malware in debug mode, researchers are forced to jump through other hoops, Tamir added.

“In addition, to prevent malware researchers from debugging the malware, ZeuS.Maple checks the value of two known Windows flags: PEB!IsDebuggedFlag and PEB!NtGlobalFlags. The code section that checks the flag value seems to be absent at first glance, but ZeuS.Maple unpacks this code section right before it uses it,” she wrote.

In a Wednesday follow up interview with SCMagazine.com, Tamir further explained the anti-debugging features available to saboteurs.

“If [the two Windows flags] are not raised you can't get into debug mode,” Tamir said. “You have to crack that in order to get into a mode that allows you to research the malware. They are putting in hurdles specifically designed to keep malware researchers from looking at what the malware is actually doing.”

While Trusteer did not analyze how Maple was being delivered to Windows users, criminals often opt to spread the banking trojan via drive-by download or phishing emails, Tamir said.

The new Maple variant also takes up other malicious feats, including encrypting its malware configuration (which is stored in the Windows Registry) with AES-128. The malware also attempts to make the malicious executable appear legitimate to security scanners, by obscuring it in a new Windows installation path.

“The ZeuS.Maple variant provides an interesting example of new and improved methods used by malware developers to bypass automated security controls as well as human malware researchers,” Tamir wrote in her blog post.”We expect this trend to continue as we find more sophisticated, stealthy variants of Zeus targeting specific geographical regions.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.