Researchers have discovered a new Zeus variant that packs fewer malicious tricks, but uses not-to-be-overlooked encryption mechanisms to remain undetected.
Fortinet detailed the variant, dubbed “Lite Zeus,” in Thursday blog post. According to Kan Chen, a junior AV analyst with Fortinet's FortiGuard Labs, the malware is distinct from other versions of Zeus, like Gameover, due to its network communication, command-and-control protocol and encryption techniques.
Of note, Lite Zeus only uses transmission control protocol (TCP) communication to send or retrieve information from its control hub, Chen wrote, and it is capable of performing a number of feats, including causing operating systems to shutdown or reboot. Attackers can also update the botnet at will to carry out other malicious activities of their choosing, the blog post said.
Chen also revealed that the “lite” version of Zeus employs AES-128, instead of older encryption cipher RC4.
“In many other Zeus variants, RC4 has been widely used in data encryption and decryption due to its fast speed and easy implementation,” Chen wrote. “Surprisingly, this Zeus variant does not use RC4, but implements AES-128 instead.”
In Monday email correspondence to SCMagazine.com, Chen added that, following Gameover Zeus' takedown, other Zeus variants “definitely took over the market temporarily.”
Despite the Gameover botnet disruption earlier this month – where enforcement named and indicted the botnet's alleged administrator Evgeniy Bogachev (who remains at large) – other versions of the banking trojan, like “Maple,” have been taken up by criminals. Maple, which targeted users in Canada, also employs AES-128 encryption.
“This Lite Zeus is similar to Maple,” Chen wrote. “There are also other types of Zeus variants taking over the Gameover Zeus market [and] Lite Zeus is one of them. As for the AES-128 encryption, it could be a future trend of some Zeus variants. However, the Zeus author could always decide which encryption to use in the future since the Zeus library is released publicly.”