The Hacker News Logo
Subscribe to Newsletter

Beware of Zeus Banking Trojan Signed With Valid Digital Signature

banking malware
A new dangerous variant of ZeuS Banking Trojan has been identified by Comodo AV labs which is signed by stolen Digital Certificate which belongs to Microsoft Developer to avoid detection from Web browsers and anti-virus systems.

Every Windows PC in the world is set to accept software "signed" with Microsoft's digital certificates of authenticity, an extremely sensitive cryptography seal.

Cyber Criminals somehow managed to hack valid Microsoft digital certificate, used it to trick users and admins into trusting the file. Since the executable is digitally signed by the Microsoft developer no antivirus tool could find it as malicious.

Digitally signed malware received a lot of media attention last year. Reportedly, more than 200,000 unique malware binaries were discovered in past two years signed with valid digital signatures.

A Comodo User submitted a sample of the malicious software that attempts to trick user by masquerading itself as file of Internet Explorer and having a valid signature issued to “isonet ag”.

On execution, the malicious file get installed without any antivirus detection and also tried to download rootkit components from:
  • lovestogarden.com/images/general/TARGT.tpl
  • villaveronica.it/images/general/TARGT.tpl
Zeus is one of the oldest families of financial malware, but this new highly sophisticated variant of Zeus Trojan blessed with legitimate way to bypass security checks and launching attacks to obtain the Banking login credentials of victims and committing financial frauds.

The Comodo Team found over 200 unique hits for new variant of this Zeus distributed over mass computers via infected web pages or phishing mail attacks.

JUST BEHIND YOUR WEB BROWSER
Typically, Zeus malware triggers a Man-In-Browser (MitB) attack and allows the hacker to establish a remote session in order to intercept the actions performed by the victim.

"If the attack victim goes to an online banking site to perform a transaction, such as transferring funds, they see everything as occurring normally. The payment information they keyed will display as expected, but behind the scenes the hackers will alter the transaction and send it to another account with possibly a larger amount." researchers explained.
There are three components of Zeus to launch an attack:
  1. Downloader: Once the malware will get installed via online vulnerability or as an attachment in a phishing email, it will download the rootkit and malware component of the attack.
  2. Malware: It is a stealer that will steal valuable user data, login credentials, credit card info, etc.
  3. Rootkit: This component will hide the installed malware via protecting it from detection and removal. The rootkit is installed by decrypting the downloaded file into the “Boot Bus Extender” so that it gets loads prior to any driver and this makes it hard to remove as well.
To protect malicious components and auto-run entries from being deleted by antivirus software 'After decrypting downloaded payload, the rootkit is installed within “Boot Bus Extender” to make sure it loads before other drivers.' researchers explained.

HOW TO KICK ZEUS ASS
We have noticed an increase in this trend of signed malware. Windows users are recommended to Install a best Internet Security Tool and Configure the firewall to maximize the security of their computer system. Don’t open the links sent to you in mails from unknown sources.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.