Light Dark
April 14, 2016 By Douglas Bonderud 2 min read

Zeus just won’t give up. According to SecurityWeek, there’s a new variant of successful Zeus-derivative Citadel on the market. It’s called Atmos and has been described by Danish security firm Heimdal as Citadel’s “polymorphic successor.”

With a combination of familiar tactics and new attack vectors, this Zeus banking Trojan may require a Herculean effort to detect — and remove — from targeted systems.

Olympian Lineage

The original Citadel infection compromised more than 11 million computers worldwide and was responsible for over $500 million in losses, SecurityWeek reported. Its creator, Dimitry Belorossov, was sentenced to 54 months in prison, and Citadel largely disappeared off the malware map.

A new strain of the same lineage has emerged in the form of Atmos. So far, Heimdal has detected more than 1,000 bots attacking the same target: French financial institutions. Atmos uses some of the same tricks seen in its progenitor, such as webinjections that modify a browser’s view of Web pages and can alter transaction details.

The result? Victims believe they’re carrying out run-of-the-mill online activities but are instead transferring money into an attacker-controlled bank account. Making this new Zeus banking Trojan more worrisome is the addition of polymorphic code, which lets it evade detection and cover its tracks in a system. Even when found, it’s difficult to know how long Atmos has been running amok.

Fighting Gods

The growth of large-scale, brute-force malware has largely plateaued. Now attackers are looking for high-value targets they can infect without detection and exploit over a period of months or years. For example, We Live Security recently reported on USB-based malware that inserts itself into applications’ command chain and employs self-protection techniques such as the use of AES-128 encryption and cryptographic file names.

Atmos also makes it difficult to fight back against its divine pedigree. Threatpost noted the code is tied to configuration servers in multiple countries including Canada, the U.S., Russia and Turkey. In addition, there’s no single attack vector for Atmos — infections have come through banner ads, booby-trapped websites and phishing attacks.

It gets worse: After the malware has altered Web browsers and scraped victim machines for data or credentials, it deploys a Teslacrypt-based ransomware attack to extract even more money. Researchers suspect that the attacks in France are part of a testing phase; once the Atmos creators have worked out the bugs, they’ll likely go global.

Thwarting the Zeus Banking Trojan

Protection isn’t an easy task against this Zeus banking Trojan. Good password management helps, and it is critical for financial institutions to verify all transactions after an infection is discovered, but there’s no silver bullet for Atmos. For the moment, security teams face the Herculean task of fighting divine progeny.

 |  |  |  |  | 
Douglas Bonderud
Freelance Writer

More from

March 18, 2025

Bypassing Windows Defender Application Control with Loki C2

10 min read - Windows Defender Application Control (WDAC) is a security solution that restricts execution to trusted software. Since it is classified as a security boundary, Microsoft offers bug bounty payouts for qualifying bypasses, making it an active and competitive field of research.Typical outcomes of a WDAC bypass bug bounty submission:Bypass is fixed; possible bounty awardedBypass is not fixed but instead "mitigated" by being added to the WDAC recommended block list. Likely no bounty awarded but honorable mention is typically givenBypass is not…

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

February 21, 2025

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature