Modified Zeus trojan targets numerous online banking systems

Researchers with Kaspersky Lab have discovered a new trojan – detected as Trojan-Banker.Win32.Chthonic, or ‘Chthonic' – that appears to be an evolution of ZeusVM, and is targeting more than 150 banks and 20 payment systems in 15 different countries, including in the U.S.

In a Tuesday email correspondence, Yury Namestnikov, a researcher with Kaspersky Lab, told that Chthonic has a modular architecture and that attackers can easily extend functionality of the malware.

Right now, Chthonic is capable stealing saved passwords in different applications, keylogging in applications or on web pages, form grabbing, recording video and sound, injecting code in web pages opened in browsers, and providing remote access via VNC to the infected computer for making transactions in online banking systems, Namestnikov said.

“The Web injection module is the main weapon – it gives attackers opportunity to bypass two-factor authentication based on different methods used by banks,” Namestnikov said. “Attackers can modify web pages opened in the victim's browser and insert additional fields or show different alerts like fake TAN/mTAN entry window.”

Although it is unclear who developed Chthonic, Namestnikov said that the malware is likely for sale and being used by multiple attackers because Kaspersky Lab has seen several botnets operating with different command-and-control servers and targeting financial groups in various parts of the world.

Banks in the U.K., Spain and U.S. are being highly targeted, but attackers are also going after financial groups in Russia, Japan and Italy, according to a breakdown included in a Thursday post. Namestnikov said he could not disclose the names of the banks, but he said that Alipay, Chronopay and Webmoney are among the payment systems being targeted.

The attackers, who are targeting indiscriminately, are infecting systems with Chthonic by first getting a downloader on the computer, Namestnikov said, explaining they do this by sending emails containing exploits – notably CVE-2014-1761 in Microsoft Office products – or through the Andromeda bot.

“The downloader does several checks to avoid executing in a test environment and if all checks are passed, it injects code into the system process and downloads [the] main payload,” Namestnikov said. “To avoid detection, the main payload is encrypted and is not a common executable file, but a set of sections that are mapped to memory by the downloader itself.”

To protect against threats such as Chthonic, Namestnikov recommended installing operating system and application updates regularly, not opening attached files from unknown senders, and using an internet security solution.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.