Login to your account

Username *
Password *
Remember Me

Create an account

Fields marked with an asterisk (*) are required.
Name *
Username *
Password *
Verify password *
Email *
Verify email *
Captcha *
Reload Captcha

Advertisement

×

Message

EU e-Privacy Directive

This website uses cookies to manage authentication, navigation, and other functions. By using our website, you agree that we can place these types of cookies on your device.

You have declined cookies. This decision can be reversed.

Hackers target Ukrainian software company to spread the notorious Zeus banking trojan

Written by  Cameron Davies Jan 06, 2018

However, researchers noted that the hackers did not compromise the company's update servers or have the same level of access observed in the earlier Nyetya compromise.

In this attack, malicious malware-laden emails were sent out featuring a ZIP archive that contained a JavaScript file that functioned as a malware downloader. Once opened, the Javascript is executed and causes the system to retrieve the malware payload, run it and infect the system with a variant of the Zeus banking trojan.

One of the domains used to host the malware was associated with CFM's website, researchers noted. The site has also been observed distributing the PSCrypt ransomware, an aggressive strain of malware that heavily targeted Ukrainian users last year.

Since the source code for version 2.0.8.9 of the ZeuS trojan was leaked in 2011, other threat actors have taken inspiration from the malicious code and incorporated it in multiple other banking trojans.

"Talos was able to identify significant code reuse between the malware being distributed by this campaign and the leaked version of the ZeuS source code," researchers said. "Once executed on systems, the malware performs several actions to determine whether it is being executed in a virtualized sandbox environment.

"In cases where the malware does not detect it is operating in a sandbox environment, it then takes steps to achieve persistence on infected systems."

Advertisement 
Sonos Wireless Music Player

The malware even creates a registry entry on an infected system to make sure the malicious code is executed every time the compromised device is restarted.

Once the system is infected, the malware tries to reach out to different command and control (C&C) servers.

"When Talos began researching the threat we found that one of the domains was already being sinkholed, one was being controlled by the bad actors, and the third was not yet registered," researchers said.

Most systems infected by the malware were located in Ukraine and the United States, researchers found. The most heavily affected ISP was that of PJSC Ukrtelecom - the company governed by Ukraine's Ministry of Transportation and Communications.

Regions affected by the new variant of the Zeus banking trojanCisco Talos

"In total, our sinkhole logged 11,925,626 beacons from 3,165 unique IP addresses, which demonstrates the size of the spread of this particular malware," researchers said.

"As we saw repeatedly throughout 2017, attackers are increasingly attempting to abuse the trust relationship between organizations and their trusted software manufacturers as a means of obtaining a foothold within the environments they are targeting. As organizations deploy more effective security controls to protect their network environments attackers are continuing to refine their methodologies."

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

  1. Popular
  2. Trending
  3. Comments

Calendar

« January 2018 »
Mon Tue Wed Thu Fri Sat Sun
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31        

Advertisement

Tech Bargains