A New Trojan in Town: Meet Zberp

Trusteer researchers recently discovered a new Trojan that has been targeting more than 450 financial institutions around the world, mainly in the U.S., U.K. and Australia. The new Trojan, which seems to be a variant of the well-known Zeus Trojan (a.k.a. Zbot), also demonstrates behaviors associated with the Carberp Trojan family. Therefore, we named it the Zberp Trojan.

According to an analysis conducted by Trusteer researchers Martin G. Korman and Tal Darsan, the Trojan seems to have been assembled from the leaked source code of two well-known Trojans: Zeus and Carberp. The Zeus source code was exposed to the public in 2011, and it is already used by some criminal groups that customize its behavior and develop new features. The Carberp source code was offered for sale last year.

“Since the source code of the Carberp Trojan was leaked to the public, we had a theory that it won’t take cyber criminals too long to combine the Carberp source code with the Zeus code and create an evil monster,” explained Korman and Darsan. “It was only a theory, but a few weeks ago we found samples of the ‘Andromeda’ botnet that were downloading the hybrid beast.”

The new Zberp Trojan, a variant of the Zeus VM Trojan, enables cyber criminals to grab basic information about the infected computer, including the Computer name, IP and more. It can take screen shots and send them to the attacker. It steals data submitted in HTTP forms, user SSL certificates and even FTP and POP account credentials. The Zberp Trojan also includes optional features that enable Web injections, dynamic Web injections, MITB/MITM attacks and VNC/RDP connections.

In addition to its malicious capabilities, the Zberp Trojan uses a combination of evasion techniques that it inherited from both the Zeus and the Carberp Trojans.

Zberp uses an “invisible persistence” feature that is has been used by the Zeus VM variant: the malware deletes its persistence key from the registry during the Windows startup process to prevent security solutions from detecting it during normal system scans that take place after the system boots. To ensure persistency, however, the malware rewrites the persistence key back to the registry during system shutdown.

The Trojan also disguises the configuration code in an image file through steganography, a technique used by malware authors to embed code in a file format that looks legitimate and bypasses malware detection solutions.

Figure 1: The header of the configuration image

 

Figure 2: The configuration is disguised in an “Apple” image

 

Figure 3: The base64 encoded configuration hidden within the image

 

The Carberp source code contribution to the Zberp Trojan can be seen in its “hooking” technique, commonly used by malware developers to control the browser, grab key strokes and steal information. It also keeps the malware “invisible,” evading detection by anti-virus and anti-malware tools.

The figure below shows that the hook is implemented in the same place, but its implementation is slightly different: The push instruction highlighted in the Carberp code (on the left) was changed by one byte in the Zberp code (on the right), and a ‘mov’ instruction was added to it. These changes ensure that even security solutions capable of detecting Carberp variants will not identify the new code.

Figure 4: Comparison between Carberp and Zberp hooks

Another evasion technique that has been embedded in the Zberp Trojan is the use of SSL, which secures the communications with the Command and Control server and evades detection by network security products.

According to a Virus-Total scan, the Zberp Trojan was able to evade most anti-virus solutions when it was first detected. Trusteer’s endpoint protection solutions, which do not require prior knowledge about emerging threats in order to stop them, detected and removed the Zberp Trojan immediately — on ‘day zero.’

How Trusteer Customers Are Protected

Trusteer Customers Are Protected!

Trusteer, an IBM company, is the leading provider of endpoint cyber crime prevention. Trusteer solutions combine multi-layer defenses with real-time threat intelligence to achieve sustainable protection against malware and targeted attacks.

Preventing Enterprise Breach

Trusteer Apex protects enterprise endpoints by preventing infections via the exploitation of vulnerabilities in endpoint applications. In addition, it detects, mitigates and removes Zberp (and other Zeus variants) from infected user devices. No product update is needed.

Preventing Online Financial Fraud

Trusteer Rapport protects customer endpoints by detecting, mitigating and removing Zberp (and other Zeus variants) from infected devices. No product update is needed.

Trusteer Pinpoint Malware Detection can identify and warn organizations of malware-infected devices that attempt to log in and transact with their website. No product update is needed.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

How to Report Scam Calls and Phishing Attacks

With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…