Incident Response, Malware, TDR

Criminals fuse Zeus, Carberp code for more sinister trojan

Cyber criminals have combined the source code of Zeus, a mainstay trojan wielded by fraudsters, and Carberp, newer financial malware, to introduce a more pervasive threat.

Trusteer, an IBM company, aptly named the new trojan “Zberp,” for its mix of malicious features which have already targeted over 450 financial institutions throughout the globe, primarily in the U.S., U.K., and Australia.

On Thursday, Dana Tamir, the director of enterprise security at Trusteer, revealed details about the Windows malware on an IBM blog.

In addition to functionalities, like taking screenshot of victims' financial data and collecting basic information about infected machines (like the computer name and IP address), Zberp is able to “''steal data submitted in HTTP forms, user SSL certificates, and FTP and POP account credentials, Tamir wrote.

Criminals have also built the malware so that web injections and man-in-the-middle (MitM) and man-in-the-browser (MitB) attacks can be leveraged to steal sensitive data.

Worse yet, Tamir said, are the evasion techniques that Zberp employs, which make it hard to detect and, ultimately, remove.

“…The malware deletes its persistence key from the registry during the Windows startup process to prevent security solutions from detecting it during normal system scans that take place after the system boots,” Tamir wrote. “To ensure persistency, however, the malware rewrites the persistence key back to the registry during system shutdown. The trojan also disguises the configuration code in an image file through steganography, a technique used by malware authors to embed code in a file format that looks legitimate and bypasses malware detection solutions.”

In a Wednesday follow up interview with, Tamir said that researchers discovered the trojan being spread through the Andromeda botnet.

“It's used as a dropper that spreads malware to infect other user endpoints,” Tamir said of the botnet.

She also added that analysts have yet to see the malware for sale in underground forums, though they detected the threat in the wild last week.

Last June, researchers discovered that a black market seller was offering the source code of Carberp for $5,000 – a price analysts assumed would get its fair share of takers. About six months prior to that, a criminal group leveraging the trojan was found hawking a similar package at a much steeper price of $40,000 per exploit kit.

In her interview with, Tamir explained that the Zeus-Carberp amalgamation was expected, as the practice continues to be a profitable trend on the underground.

“Malware developers continue to strengthen their trojan capabilities to create more sophisticated trojans, and this won't stop in the near future,” she said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.