The Zeus malware has re-emerged and is being used by criminals to steal financial information, according to IT security company Trend Micro.
The firm claims the malware has re-appeared amidst a spike in numbers of active threats in the wild and has predicted that this year will be characterised by slightly modified old threats resurfacing, with new features added in order to avoid detection and infect more systems.
Peddling stolen banking information is a lucrative business in the underground market
The Zeus or ZBOT variants began to increase from the beginning of February, according to Trend Micro's Jay Yaneza.
"ZBOTvariants surged in the beginning of February and continued to be active up to this month. It even peaked during the middle of May 2013. The malware is designed to steal online credentials from users, which can be banking information or other personally identifiable information (PII)," said Yaneza in a blog post.
Yaneza warned that this variant of the Zeus malware was now more dangerous as it uses advanced techniques to avoid detection by security systems.
"ZBOTmalware of this generation are found to be mostly either Citadel or GameOver variants. Unlike earlier versions, the mutex name is randomly generated," said Yaneza.
"Both variants send DNS queries to randomised domain names. The difference in GameOver variant is that it opens a random UDP port and sends encrypted packets before sending DNS queries to randomised domain names. Zbot malware connects to a remote site to download its encrypted configuration file."
He said that these configuration files contain banks and other financial institutions that ZBOTs monitor in browsers.
"Since configuration files are downloaded from remote sites, the contents of these files may change any time. Malicious actors can change the list of sites they want to monitor on the affected system."
The firm said that there are ways to stop the Zeus malware in its tracks.
"There are several avenues for detecting ZBOT variants. First, as the malware tries to write to the registry Userinit' entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. Secondly, detecting the call-back routine to the remote site upon execution, as it acquires its configuration file," he said.
Yaneza said that old threats like ZBOT can always make a comeback because cybercriminals profit from these. "Peddling stolen banking and other personal information from users is a lucrative business in the underground market," he said. "It is important to be careful in opening email messages or clicking links. Bookmark trusted sites and avoid visiting unknown ones."
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
Exploitation of Docker remote API servers has reached a “critical level”News Hackers are targeting Docker’s remote access API as it allows them to pivot from a single container to the host and deploy malware with ease
-
Cyber criminal underground “thriving” as weekly attacks surge by 75% in Q3 2024Cyber attacks reached another all-time high this quarter as digital crime continues to be a highly profitable industry for threat actors
-
Alarm raised over patched Phemedrone Stealer malware that's being used to target Windows PCs - here's what you need to knowNews Phemedrone Stealer is being used to exploit a vulnerability in Windows Defender SmartScreen despite the issue being patched in November 2023
-
SOC modernization and the role of XDRWhitepaper Automate security processes to deliver efficiencies across IT
-
Uncovering the ransomware threat from global supply chainsWhitepaper Effectively mitigate ransomware risk
-
The near and far future of ransomware business modelsWhitepaper Discover how criminals use ransomware as a cyberweapon
-
Trend Micro security predictions for 2023Whitepaper Prioritise cyber security strategies on capabilities rather than costs
-
'Potentially unsecured' SMBs are propping up an IT supply chain riddled with ransomwareNews More than half of IT supply chains have been impacted by ransomware attacks in recent years and organisations are failing to implement the necessary steps to prevent future damage
