A New Trojan in Town: Meet Zberp

Trusteer researchers recently discovered a new Trojan that has been targeting more than 450 financial institutions around the world, mainly in the U.S., U.K. and Australia. The new Trojan, which seems to be a variant of the well-known Zeus Trojan (a.k.a. Zbot), also demonstrates behaviors associated with the Carberp Trojan family. Therefore, we named it the Zberp Trojan.

According to an analysis conducted by Trusteer researchers Martin G. Korman and Tal Darsan, the Trojan seems to have been assembled from the leaked source code of two well-known Trojans: Zeus and Carberp. The Zeus source code was exposed to the public in 2011, and it is already used by some criminal groups that customize its behavior and develop new features. The Carberp source code was offered for sale last year.

“Since the source code of the Carberp Trojan was leaked to the public, we had a theory that it won’t take cyber criminals too long to combine the Carberp source code with the Zeus code and create an evil monster,” explained Korman and Darsan. “It was only a theory, but a few weeks ago we found samples of the ‘Andromeda’ botnet that were downloading the hybrid beast.”

The new Zberp Trojan, a variant of the Zeus VM Trojan, enables cyber criminals to grab basic information about the infected computer, including the Computer name, IP and more. It can take screen shots and send them to the attacker. It steals data submitted in HTTP forms, user SSL certificates and even FTP and POP account credentials. The Zberp Trojan also includes optional features that enable Web injections, dynamic Web injections, MITB/MITM attacks and VNC/RDP connections.

In addition to its malicious capabilities, the Zberp Trojan uses a combination of evasion techniques that it inherited from both the Zeus and the Carberp Trojans.

Zberp uses an “invisible persistence” feature that is has been used by the Zeus VM variant: the malware deletes its persistence key from the registry during the Windows startup process to prevent security solutions from detecting it during normal system scans that take place after the system boots. To ensure persistency, however, the malware rewrites the persistence key back to the registry during system shutdown.

The Trojan also disguises the configuration code in an image file through steganography, a technique used by malware authors to embed code in a file format that looks legitimate and bypasses malware detection solutions.

Figure 1: The header of the configuration image


Figure 2: The configuration is disguised in an “Apple” image


Figure 3: The base64 encoded configuration hidden within the image


The Carberp source code contribution to the Zberp Trojan can be seen in its “hooking” technique, commonly used by malware developers to control the browser, grab key strokes and steal information. It also keeps the malware “invisible,” evading detection by anti-virus and anti-malware tools.

The figure below shows that the hook is implemented in the same place, but its implementation is slightly different: The push instruction highlighted in the Carberp code (on the left) was changed by one byte in the Zberp code (on the right), and a ‘mov’ instruction was added to it. These changes ensure that even security solutions capable of detecting Carberp variants will not identify the new code.

Figure 4: Comparison between Carberp and Zberp hooks

Another evasion technique that has been embedded in the Zberp Trojan is the use of SSL, which secures the communications with the Command and Control server and evades detection by network security products.

According to a Virus-Total scan, the Zberp Trojan was able to evade most anti-virus solutions when it was first detected. Trusteer’s endpoint protection solutions, which do not require prior knowledge about emerging threats in order to stop them, detected and removed the Zberp Trojan immediately — on ‘day zero.’

How Trusteer Customers Are Protected

Trusteer Customers Are Protected!

Trusteer, an IBM company, is the leading provider of endpoint cyber crime prevention. Trusteer solutions combine multi-layer defenses with real-time threat intelligence to achieve sustainable protection against malware and targeted attacks.

Preventing Enterprise Breach

Trusteer Apex protects enterprise endpoints by preventing infections via the exploitation of vulnerabilities in endpoint applications. In addition, it detects, mitigates and removes Zberp (and other Zeus variants) from infected user devices. No product update is needed.

Preventing Online Financial Fraud

Trusteer Rapport protects customer endpoints by detecting, mitigating and removing Zberp (and other Zeus variants) from infected devices. No product update is needed.

Trusteer Pinpoint Malware Detection can identify and warn organizations of malware-infected devices that attempt to log in and transact with their website. No product update is needed.

more from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however,…

World’s Largest Darknet Market Shut Down, $25 Million in Bitcoin Seized

On April 5, German authorities announced the takedown of the Hydra marketplace, the world’s largest darknet market trading in illicit drugs, cyberattack tools, forged documents and stolen data. The criminal operation, with about 17 million customer accounts, raked in billions in bitcoin before getting shut down. On its website, the Federal Criminal Police Office (BKA) stated it had secured and…