New and Improved Zeus Trojan Makes its 2015 Debut

There was no shortage of verified Zeus malware campaigns reported by this blog in early 2014, but by the end of the year, it seemed like Zeus may have become a thing of this past. Apparently, however, that is not the case at all. An improved version of the notorious banking Trojan has been spotted in the wild that is just different enough from the original malware so as to avoid detection by popular antivirus products. This new version of Zeus targets Canadian banks including the Bank of Montreal, Royal Bank of Canada, and National Bank of Canada (the largest banks in the country).

Although this malware variant is coded specifically for Canadian targets, Zeus has been used extensively by hackers to target victims in the United States; something security experts fear could happen again in the wake of the early successes of the Canadian attack. Unlike many traditional banking Trojans, Zeus doesn’t just target victim’s login credentials. Rather, Zeus injects rogue forms into the Web browser that completely replace legitimate login screens for the banks in question.

Some of the personal information gathered by this Zeus variant include answers to security questions, debit and credit card numbers, social security number, driver license information, and anything else the hackers need (using a control panel, hackers can change the information contained on the rogue pages with just a few mouse clicks).

The slight changes made to this version of Zeus mean that the malware is undetectable using standard antivirus tools. The Trojan also bypasses SSL browser security because it is only installed on the endpoint device. This allows the malware to inject fake webpages into the browser without breaking the SSL connection to the bank and triggering a security alert.

zeus trojan 2015

After examining the control panel used to administer this campaign, it becomes clear that this version of Zeus could prove to be more dangerous than previous versions. The improved control panel allows a hacker to easily configure each attack using an intuitive graphical interface that almost anyone could use without coding or hacking experience. Hackers can specify the destination bank account where stolen funds should be transferred, calculate the profit percentage for mules (people who receive the stolen funds prior to forwarding them to the attacker), and even set minimum and maximum balances for targeted accounts.

In other words, a few tweaks to the code and a powerful backend control panel have brought Zeus back into the spotlight as a dangerous malware threat in 2015.

Since Zeus is not detectable by modern antivirus tools, the best way to avoid this threat is to remain vigilant while conducting online banking transactions. Remember that your financial institution will never ask for your social security number, debit and credit card numbers, or other sensitive information. Also, ensuring your PC has all the latest OS and application updates installed reduces the chances of a Zeus installation via drive-by download.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal