New Zeus Banking Trojan Cripples Major Banks

New Zeus Banking Trojan Cripples Major Banks

 Russian Hackers Attack And Loot Several Banks

The Federal Bureau of Investigation is probing a computer-security breach targeting Citigroup Inc. that resulted in a theft of tens of millions of dollars by computer hackers who appear linked to a Russian cyber gang, according to government officials.

The attack took aim at Citigroup’s Citibank subsidiary, which includes its North American retail bank and other businesses. It couldn’t be learned whether the thieves gained access to Citibank’s systems directly or through third parties.

The attack underscores the blurring of lines between criminal and national-security threats in cyber space. Hackers also assaulted two other entities, at least one of them a U.S. government agency, said people familiar with the attack on Citibank.

The Citibank attack was detected over the summer, but investigators are looking into the possibility the attack may have occurred months or even a year earlier. The FBI and the National Security Agency, along with the Department of Homeland Security and Citigroup, swapped information to counter the attack, according to a person familiar with the case. Press offices of the federal agencies declined to comment…

Chenghiz Singh:  There is not enough information to determine whether the hack   used an inside mole or was a breach of   customer bank accounts by compromising windows computers used by  these customers. It is likely that customer Windows machines infested with trojans stole sensitive information such as SSL certificates to gain access to bank accounts. Russian hackers are experts in botnet technology. Windows is not particularly swift in the security arena (so says unixgurl).

New Zeus Malware on the Rise


In the case of ZeusVM the code is hidden in the JPEG Images steganographically. The trojan ZeusVm than uses this retrieve its configuration files and perpetrate. Jerome Segura further explains that”The JPEG contains the Malware configuration file, which is essentially a list of scripts and financial institutions – but doesn’t need to be opened by the victim themselves. The JPEG itself has very little visibility to the user and is largely a cloaking technique to ensure it is undetected from a security software standpoint”.

ZeusVm Trojan allows man-in-the-middle attack in which attacker can not be traced easily. An attacker can obtain sensitive information by altering a Login page using WebInjects. Segura says that Visiting Banking related websites may activate the ZeusVM 2014 malware .
Segura Furthur explains that ZeusVm Trojan is executable, and copies itself deep within the computer like other replicating Viruses, ZeusVM can also easily communicate with the command-and-server when it finds network and it can also reactivate (auto restart) itself when computer  reboots.
Bank of America Malware
Bank of America Malware
This Malware can be distributed in many ways but the spread is majorly through phishing emails or web based attacks.  This Malware can also be spread via Malvertising, which involves websites hosting ads that spread Malware. Malvertising is the best method for spreading such Malwares because in case of websites, the malware gets ready made host which is always online.   The moment the malware injects itself into the advertising, it can go viral by the amount of clicks it generates.  The malvertising ads can then spread Malware through the internet traffic which the hacker/attacker may obtain through ethical means (search engines) or through illicit means (phishing mails/spam links/spam comments).
Segura has started more research on into this Trojan and to show the difference between the original image and the Steganographed image. In a Blog post he showed two images which looked exactly same but when he showed his result of viewing the images in Bitmap mode and in a hexadecimal viewer the difference of both images was clearly visible.
Segura wrote in the post that to make identification more difficult the appended data is encrypted with Base64, RC4. To decode you can reverse the file with a debugger such as OllyDbg and grab description Routine.

Leave a Reply