There was no shortage of verified Zeus malware campaigns reported by this blog in early 2014, but by the end of the year, it seemed like Zeus may have become a thing of this past. Apparently, however, that is not the case at all. An improved version of the notorious banking Trojan has been spotted in the wild that is just different enough from the original malware so as to avoid detection by popular antivirus products. This new version of Zeus targets Canadian banks including the Bank of Montreal, Royal Bank of Canada, and National Bank of Canada (the largest banks in the country).
Although this malware variant is coded specifically for Canadian targets, Zeus has been used extensively by hackers to target victims in the United States; something security experts fear could happen again in the wake of the early successes of the Canadian attack. Unlike many traditional banking Trojans, Zeus doesn’t just target victim’s login credentials. Rather, Zeus injects rogue forms into the Web browser that completely replace legitimate login screens for the banks in question.
Some of the personal information gathered by this Zeus variant include answers to security questions, debit and credit card numbers, social security number, driver license information, and anything else the hackers need (using a control panel, hackers can change the information contained on the rogue pages with just a few mouse clicks).
The slight changes made to this version of Zeus mean that the malware is undetectable using standard antivirus tools. The Trojan also bypasses SSL browser security because it is only installed on the endpoint device. This allows the malware to inject fake webpages into the browser without breaking the SSL connection to the bank and triggering a security alert.
After examining the control panel used to administer this campaign, it becomes clear that this version of Zeus could prove to be more dangerous than previous versions. The improved control panel allows a hacker to easily configure each attack using an intuitive graphical interface that almost anyone could use without coding or hacking experience. Hackers can specify the destination bank account where stolen funds should be transferred, calculate the profit percentage for mules (people who receive the stolen funds prior to forwarding them to the attacker), and even set minimum and maximum balances for targeted accounts.
In other words, a few tweaks to the code and a powerful backend control panel have brought Zeus back into the spotlight as a dangerous malware threat in 2015.
Since Zeus is not detectable by modern antivirus tools, the best way to avoid this threat is to remain vigilant while conducting online banking transactions. Remember that your financial institution will never ask for your social security number, debit and credit card numbers, or other sensitive information. Also, ensuring your PC has all the latest OS and application updates installed reduces the chances of a Zeus installation via drive-by download.