November 16, 2010 By Amit Klein 3 min read

We’re all familiar with Zeus, the king of financial malware. Infamous for targeting banks, credit unions and financial institutions, Zeus malware silently steals password and account information from customers of these institutions and uses their credentials to execute fraudulent money transfers.

A lesser known fact is that Zeus now also targets and attacks companies. Once Zeus is installed on a victim’s machine, it fetches a configuration file from one of its command and control servers. The file instructs Zeus on which websites and applications to target, which information to steal and how to steal it. This information is encrypted and is usually hard to capture. As part of our ongoing research, we capture and decrypt Zeus configurations to study them. Some of the Zeus 2.0 configurations we recently decrypted include the following code:

<FilterUrl><![CDATA[@*/citrix/*]]></FilterUrl><FilterUrl><![CDATA[@*citrix*]]></FilterUrl>

In English, this string tells Zeus the following: The “@” means “capture a screenshot of the text within the mouse’s vicinity when the left button is clicked.” The */citrix/* further specifies that this screenshot should be captured when the text “/citrix/” appears in the browser address bar. This code instructs Zeus to take a screenshot every time the left button is clicked while the browser’s URL includes the term “/citrix/.”

Here, Zeus is trying to capture login credentials from users of the Citrix Access Gateway, a popular SSL VPN solution used by businesses to provide secure remote access to applications and data inside their protected network. Criminals always seek the path of least resistance. In the case of enterprise networks, the least secure path is through mobile and remote employee computers, which are outside the control of most internal IT departments.

A Virtual Keyboard

Citrix is well aware and concerned about the threat of keyloggers and their ability to capture a user’s login information for the Citrix Access Gateway. In order to protect against this type of attack, Citrix developed a virtual keyboard solution. According to its website: “Keyloggers are becoming an increasing threat on the Internet, and pose a risk to security of corporate networks. They are applications that run silently on a PC or Internet kiosk and record the keystrokes entered by a user for later review. They pose a risk because they can capture usernames and passwords entered, which can then be reviewed and used in obtaining unauthorized access to the corporate network.”

The Citrix Access Gateway allows companies to customize the login page to include a virtual on-screen keyboard that replaces the physical keyboard. So instead of typing a password on the physical keyboard, mouse clicks are used to press keys drawn on the screen. This approach prevents keyloggers from capturing keystrokes, since there are none to capture.

The Zeus configuration snippet shown above is specifically designed to defeat the virtual keyboard capability in the Citrix Access Gateway. By capturing screenshots within the vicinity of the pointer during mouse clicks, Zeus is able to read the user’s password, which will clearly show up as the sequence of keys the mouse pointer was pointing at when the mouse was clicked.

Why a Configuration File Favors Corporate IT

This attack code clearly illustrates that Zeus is actively targeting enterprises, specifically remote access connections into secure networks. Fraudsters are no longer satisfied with simply going after bank accounts; they are also targeting intellectual property and sensitive information contained in company IT networks and applications. Users of remote access VPN systems like the Citrix Access Gateway (employees, contractors and partners) are purposely being targeted in a given configuration file because their computers are unmanaged and easily compromised with sophisticated malware like Zeus. As a result, corporate IT departments should be aware of this advanced threat and take steps to protect their unmanaged computers and remote sessions. These include limiting VPN access to specific applications and users, maintaining up-to-date malware protection on remote devices, using a secure browsing service to protect VPN connections and educating users on computer hygiene and secure browsing best practices.

2014 Ponemon Study: The Economic Impact of Advanced Persistent Threats (APTs)

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today