View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 18, 2014

Chthonic malware: new strain of ZeuS trojan targeting banks

Trojan-Banker.Win32.Chthonic has hit over 150 different banks and 20 payment systems in 15 countries.

By Ellie Burns

A significant new malware threat targeting online banking systems and their customers has been uncovered by security analysts at Kaspersky Lab.

Identified as a new strain of the ZeuS Trojan, Trojan-Banker.Win32.Chthonic, or Chthonic for short, is known to have hit over 150 different banks and 20 payment systems in 15 countries.

Financial institutions in the UK, Spain, the US, Russia, Japan and Italy appear to be the main targets of the malware.

Exploiting computer functions such as web cameras and keyboards, Chthonic steals online banking credentials such as saved passwords.

Computers can also be taken over remotely, giving the hackers the ability to command the infected computer to carry out transactions.

The main weapon of Chthonic is web injections. These enable the trojan to insert its own code and images into the bank pages loaded by the computer’s browser, allowing the attackers to get PINs, passwords, and phone numbers.

Victims are infected through web links or by email attachments carrying a document .DOC extension that then establishes a backdoor for malicious code.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

The attachment contains a specially crafted RTF document, designed to exploit the CVE-2014-1761 vulnerability in Microsoft Office products.

Once downloaded, malicious code that contains an encrypted configuration file is injected into the msiexec.exe process and a number of malicious modules are installed on the machine.

One known victim was a Japanese bank, where the malware was able to hide the bank’s warnings and instead inject a script allowing the attackers to carry out various transactions using the victim’s account.

A Russian bank saw the malware create completely fraudulent banking pages as soon as the customers logged on. This was achieved by the Trojan creating an iframe with a phishing copy of the website that has the same size as the original window.

Fortunately, many code fragments used by Chthonic to perform web injections can no longer be used, because banks have changed the structure of their pages and in some cases, the domains as well.

"The discovery of Chthonic confirms that the ZeuS Trojan is still actively evolving. Malware writers are making full use of the latest techniques, helped considerably by the leak of the ZeuS source code. Chthonic is the next phase in the evolution of ZeuS." Commented Yury Namestnikov, Senior Malware Analyst at Kaspersky Lab and one of the researchers who worked on the investigation of the threat.

"It uses Zeus AES encryption, a virtual machine similar to that used by ZeusVM and KINS, and the Andromeda downloader – to target ever more financial institutions and innocent customers in ever more sophisticated ways."

"We believe that we will undoubtedly see new variants of ZeuS in the future, and will continue to track and analyse every threat to stay one step ahead of the cybercriminals."


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.