A significant new malware threat targeting online banking systems and their customers has been uncovered by security analysts at Kaspersky Lab.
Identified as a new strain of the ZeuS Trojan, Trojan-Banker.Win32.Chthonic, or Chthonic for short, is known to have hit over 150 different banks and 20 payment systems in 15 countries.
Financial institutions in the UK, Spain, the US, Russia, Japan and Italy appear to be the main targets of the malware.
Exploiting computer functions such as web cameras and keyboards, Chthonic steals online banking credentials such as saved passwords.
Computers can also be taken over remotely, giving the hackers the ability to command the infected computer to carry out transactions.
The main weapon of Chthonic is web injections. These enable the trojan to insert its own code and images into the bank pages loaded by the computer’s browser, allowing the attackers to get PINs, passwords, and phone numbers.
Victims are infected through web links or by email attachments carrying a document .DOC extension that then establishes a backdoor for malicious code.
The attachment contains a specially crafted RTF document, designed to exploit the CVE-2014-1761 vulnerability in Microsoft Office products.
Once downloaded, malicious code that contains an encrypted configuration file is injected into the msiexec.exe process and a number of malicious modules are installed on the machine.
One known victim was a Japanese bank, where the malware was able to hide the bank’s warnings and instead inject a script allowing the attackers to carry out various transactions using the victim’s account.
A Russian bank saw the malware create completely fraudulent banking pages as soon as the customers logged on. This was achieved by the Trojan creating an iframe with a phishing copy of the website that has the same size as the original window.
Fortunately, many code fragments used by Chthonic to perform web injections can no longer be used, because banks have changed the structure of their pages and in some cases, the domains as well.
"The discovery of Chthonic confirms that the ZeuS Trojan is still actively evolving. Malware writers are making full use of the latest techniques, helped considerably by the leak of the ZeuS source code. Chthonic is the next phase in the evolution of ZeuS." Commented Yury Namestnikov, Senior Malware Analyst at Kaspersky Lab and one of the researchers who worked on the investigation of the threat.
"It uses Zeus AES encryption, a virtual machine similar to that used by ZeusVM and KINS, and the Andromeda downloader – to target ever more financial institutions and innocent customers in ever more sophisticated ways."
"We believe that we will undoubtedly see new variants of ZeuS in the future, and will continue to track and analyse every threat to stay one step ahead of the cybercriminals."