U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

News Zeus shows significant a evolution in the criminal ecosystem

Researchers at SentinelOne have discovered a strain of the Zeus malware that includes a very sophisticated control panel and evasion techniques. Malware researchers at SentinelOne  have spotted a new Zeus variant that was used to target major Canadian banks, including the National Bank of Canada, the Bank of Montreal and the Royal Bank of Canada. […]

News Zeus shows significant a evolution in the criminal ecosystem

Researchers at SentinelOne have discovered a strain of the Zeus malware that includes a very sophisticated control panel and evasion techniques.

Malware researchers at SentinelOne  have spotted a new Zeus variant that was used to target major Canadian banks, including the National Bank of Canada, the Bank of Montreal and the Royal Bank of Canada.

The researcher Anton Ziukin explained that also this variant of Zeus relies on Web injection mechanisms to create pages used by threat actors to steal victim’s banking credentials and other personal information that could be offered for sale in the underground market. In the specific case, the malware displays victims a phishing page that reproduces the login form for their online banking services.

“This attack continues a growing trend in banking malware that goes beyond simply targeting the victim’s login credentials (i.e. their username and password) and injects pages to steal a wealth of personal information including answers to security questions, debit and credit card numbers, social security number, driver license number and more. While some of this information can be used to commit online banking fraud, the other personal data can be used for different crimes including healthcare fraud, opening credit accounts in victim’s names, etc. It could even be used in spear phishing attacks to target individuals within enterprises and government agencies in order to breach secure networks.” Ziukin reports in a blog post.

The phishing page proposed by the new Zeus variant also instructed victims to provide their personal data, including ATM PIN, and credit/debit card details, social insurance number and date of birth.

new Zeus variant

This new strain of Zeus malware is not detected by several antivirus, besides it also bypasses SSL browser security because the malicious code is installed on the endpoint and relies on Man-In-The-Browser technique to direct inject its web content in the victim’s browser.

“Since the malware is installed on the endpoint device it can inject fake webpages into the browser without breaking the SSL connection to the bank’s server and generating a security alert. Predictive execution technology that monitors activity on the endpoint device is the only way to detect and block these attacks, and protect personal information from getting into the hands of criminals.” continues the post.

The experts accessed the control panel of the new Zeus botnet noting its high level of sophistication. The control panel includes detailed information on each of the compromised bank accounts, in fact it reports balance, login status, and Web browser used by the victim.

new Zeus variant 2

The panel also includes a “Drop” form used to customize the attacks, for example, cyber criminals can specify the destination bank account to transfer stolen funds and the percentage to release the money Mule before transferring the balance to the attacker.

“This glimpse into the criminal underground demonstrates the sophistication of the tools being used by criminal gangs to conduct banking and other forms of online fraud. Building, executing and monetizing advanced attacks is easier and more affordable than ever before,” SentinelOne’s Anton Ziukin said in a blog post.

It is even more simple for cyber criminals to arrange scams and conduct illegal activities thanks the offer in the cyber criminal ecosystem, for example recently researchers at IBM Trusteer discovered a new toolkit dubbed KL-Remote that allows criminals to run Remote Overlay Attacks without specific skills.

Stay Tuned …

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – online banking, Zeus)

[adrotate banner=”5″]

[adrotate banner=”13″]