May 22, 2014 By Dana Tamir 4 min read

A New Trojan in Town: Meet Zberp

Trusteer researchers recently discovered a new Trojan that has been targeting more than 450 financial institutions around the world, mainly in the U.S., U.K. and Australia. The new Trojan, which seems to be a variant of the well-known Zeus Trojan (a.k.a. Zbot), also demonstrates behaviors associated with the Carberp Trojan family. Therefore, we named it the Zberp Trojan.

According to an analysis conducted by Trusteer researchers Martin G. Korman and Tal Darsan, the Trojan seems to have been assembled from the leaked source code of two well-known Trojans: Zeus and Carberp. The Zeus source code was exposed to the public in 2011, and it is already used by some criminal groups that customize its behavior and develop new features. The Carberp source code was offered for sale last year.

“Since the source code of the Carberp Trojan was leaked to the public, we had a theory that it won’t take cyber criminals too long to combine the Carberp source code with the Zeus code and create an evil monster,” explained Korman and Darsan. “It was only a theory, but a few weeks ago we found samples of the ‘Andromeda’ botnet that were downloading the hybrid beast.”

The new Zberp Trojan, a variant of the Zeus VM Trojan, enables cyber criminals to grab basic information about the infected computer, including the Computer name, IP and more. It can take screen shots and send them to the attacker. It steals data submitted in HTTP forms, user SSL certificates and even FTP and POP account credentials. The Zberp Trojan also includes optional features that enable Web injections, dynamic Web injections, MITB/MITM attacks and VNC/RDP connections.

In addition to its malicious capabilities, the Zberp Trojan uses a combination of evasion techniques that it inherited from both the Zeus and the Carberp Trojans.

Zberp uses an “invisible persistence” feature that is has been used by the Zeus VM variant: the malware deletes its persistence key from the registry during the Windows startup process to prevent security solutions from detecting it during normal system scans that take place after the system boots. To ensure persistency, however, the malware rewrites the persistence key back to the registry during system shutdown.

The Trojan also disguises the configuration code in an image file through steganography, a technique used by malware authors to embed code in a file format that looks legitimate and bypasses malware detection solutions.

Figure 1: The header of the configuration image


Figure 2: The configuration is disguised in an “Apple” image


Figure 3: The base64 encoded configuration hidden within the image


The Carberp source code contribution to the Zberp Trojan can be seen in its “hooking” technique, commonly used by malware developers to control the browser, grab key strokes and steal information. It also keeps the malware “invisible,” evading detection by anti-virus and anti-malware tools.

The figure below shows that the hook is implemented in the same place, but its implementation is slightly different: The push instruction highlighted in the Carberp code (on the left) was changed by one byte in the Zberp code (on the right), and a ‘mov’ instruction was added to it. These changes ensure that even security solutions capable of detecting Carberp variants will not identify the new code.

Figure 4: Comparison between Carberp and Zberp hooks

Another evasion technique that has been embedded in the Zberp Trojan is the use of SSL, which secures the communications with the Command and Control server and evades detection by network security products.

According to a Virus-Total scan, the Zberp Trojan was able to evade most anti-virus solutions when it was first detected. Trusteer’s endpoint protection solutions, which do not require prior knowledge about emerging threats in order to stop them, detected and removed the Zberp Trojan immediately — on ‘day zero.’

How Trusteer Customers Are Protected

Trusteer Customers Are Protected!

Trusteer, an IBM company, is the leading provider of endpoint cyber crime prevention. Trusteer solutions combine multi-layer defenses with real-time threat intelligence to achieve sustainable protection against malware and targeted attacks.

Preventing Enterprise Breach

Trusteer Apex protects enterprise endpoints by preventing infections via the exploitation of vulnerabilities in endpoint applications. In addition, it detects, mitigates and removes Zberp (and other Zeus variants) from infected user devices. No product update is needed.

Preventing Online Financial Fraud

Trusteer Rapport protects customer endpoints by detecting, mitigating and removing Zberp (and other Zeus variants) from infected devices. No product update is needed.

Trusteer Pinpoint Malware Detection can identify and warn organizations of malware-infected devices that attempt to log in and transact with their website. No product update is needed.

More from Advanced Threats

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today