Eastern hackers use phishing-led APT to steal millions from banks
Eastern hackers use phishing-led APT to steal millions from banks

Malwarebytes senior security researcher Jerome Segura revealed the new Zeus variant, dubbed ZeusVM, in a 17 February blog post. Segura includes a screen shot that shows ZeusVM targeting the customers of dozens of well-known banks worldwide, including Lloyds, Barclays and Santander, as well as Wells Fargo and Deutsche Bank.

The malware works by embedding its money-stealing code inside attractive images, such as a beautiful sunset, that the victim inadvertently downloads. ZeusVM then kicks in when the user logs on to the website of one of the targeted banks, stealing the user's credentials and potentially emptying their online account of money.

Segura said: "It appears the intended targets were primarily Europeans due to the larger number of banks from the EU in the configuration file. But there were also other banks in New Zealand or South America, so the malware authors didn't want to exclude anybody. Perhaps they were just concentrating on certain areas where they had the most knowledge. However this is just a hypothesis.”

He added: “Hiding malevolent code in such a way can successfully bypass signature-based intrusion detection systems or even anti-virus software. From a webmaster point of view, images (especially ones that can be viewed) would appear harmless. It's a reminder that a file should not be considered safe simply because it appears to be a legitimate picture, song or movie.”

Meanwhile, Trustwave's Richard Wells said in a blog post of his own that he too had tracked down an attack that hid malware inside a picture file – in a technique known as ‘stenography'.

The attacker infected an unnamed online store by planting malware inside one of the JavaScript files driving its customer checkout process. The malware was being used to harvest credit card details; it then disguised the encoded data inside what appeared to be a JPG file, before sending it back to the perpetrator.

Wells said in his blog: “As attackers become more and more creative with the methods that they use to hide their malicious activity, it is critical that the owners and administrators of online shops are aware of what exactly is occurring on their servers. The need for file integrity monitoring (FIM) is greater than ever.

“If an attacker modifies a website's source code, a FIM solution could alert administrators to a compromise in progress and help to limit the amount of data that could be compromised.”

Security expert Richard Moulds, vice president of product strategy at Thales e-Security, said the two attacks underline the need to use chip-and-pin encryption on cardholder data as regular PCs and servers can't be secured.

He told SCMagazineUK.com via email: “Although we hear relatively regularly of stolen cardholder data, we very rarely see stories of stolen PINs - we have a widespread solution for protecting this critical information.

“PINs are encrypted directly in the card reader as soon as they are entered by the shopper. They are only decrypted when absolutely necessary, and only in similarly hardened devices (hardware security modules – HSMs). Everything in between, including the point of sale terminal, only sees scrambled data which is useless to an attacker.

“Vulnerabilities such as those exposed by the Zeus banking Trojan have further highlighted the need a complete shift in the IT mindset and the need for this type of approach to security.”

The Trojan family which ZeusVM belongs to is one of the most widely used in the world, having infected millions of Windows-based computers, mainly to steal online banking information. It is also used to install the notorious CryptoLocker ransomware. Zeus variants date back to at least 2007.