Thursday, January 27, 2022

Researchers Discover Zeus Variant With New Spreading Features

The Zeus banking Trojan has been around since early 2007, and its strains went on to execute MitM attacks, log keystrokes and grab data entered in online forms.

It is usually spread via exploit kits (drive-by-downloads), phishing campaign, and social media, but Trend Micro researchers have lately come accross a variant that employs an additional spreading vector: removable drives.

In this specific instance, the spyware version is initially delivered via a PDF exploit which is disguised as a sales invoice document.

Possible victims that try to open the file with Adobe Reader are confronted with a notification that says that it can’t be opened because “use of extended features is no longer available.”

The malware then contacts its command and control servers (C&C) to download an updated copy of the executable (if there is one available), but right away after it checks whether removable drives are connected with the computer, and will drop a copy of itself in a hidden folder created on the drive, and creates a shortcut to it.


About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Silent OS 3.0 for Blackphone Completely revamped

Version 3.0 migrates Silent OS to Android Marshmallow 6.0.1 and delivers the Android safety patch …