April 14, 2016 By Douglas Bonderud 2 min read

Zeus just won’t give up. According to SecurityWeek, there’s a new variant of successful Zeus-derivative Citadel on the market. It’s called Atmos and has been described by Danish security firm Heimdal as Citadel’s “polymorphic successor.”

With a combination of familiar tactics and new attack vectors, this Zeus banking Trojan may require a Herculean effort to detect — and remove — from targeted systems.

Olympian Lineage

The original Citadel infection compromised more than 11 million computers worldwide and was responsible for over $500 million in losses, SecurityWeek reported. Its creator, Dimitry Belorossov, was sentenced to 54 months in prison, and Citadel largely disappeared off the malware map.

A new strain of the same lineage has emerged in the form of Atmos. So far, Heimdal has detected more than 1,000 bots attacking the same target: French financial institutions. Atmos uses some of the same tricks seen in its progenitor, such as webinjections that modify a browser’s view of Web pages and can alter transaction details.

The result? Victims believe they’re carrying out run-of-the-mill online activities but are instead transferring money into an attacker-controlled bank account. Making this new Zeus banking Trojan more worrisome is the addition of polymorphic code, which lets it evade detection and cover its tracks in a system. Even when found, it’s difficult to know how long Atmos has been running amok.

Fighting Gods

The growth of large-scale, brute-force malware has largely plateaued. Now attackers are looking for high-value targets they can infect without detection and exploit over a period of months or years. For example, We Live Security recently reported on USB-based malware that inserts itself into applications’ command chain and employs self-protection techniques such as the use of AES-128 encryption and cryptographic file names.

Atmos also makes it difficult to fight back against its divine pedigree. Threatpost noted the code is tied to configuration servers in multiple countries including Canada, the U.S., Russia and Turkey. In addition, there’s no single attack vector for Atmos — infections have come through banner ads, booby-trapped websites and phishing attacks.

It gets worse: After the malware has altered Web browsers and scraped victim machines for data or credentials, it deploys a Teslacrypt-based ransomware attack to extract even more money. Researchers suspect that the attacks in France are part of a testing phase; once the Atmos creators have worked out the bugs, they’ll likely go global.

Thwarting the Zeus Banking Trojan

Protection isn’t an easy task against this Zeus banking Trojan. Good password management helps, and it is critical for financial institutions to verify all transactions after an infection is discovered, but there’s no silver bullet for Atmos. For the moment, security teams face the Herculean task of fighting divine progeny.

More from

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI).The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous.Meanwhile, the magnitude of the threat…

Generative AI security requires a solid framework

4 min read - How many companies intentionally refuse to use AI to get their work done faster and more efficiently? Probably none: the advantages of AI are too great to deny.The benefits AI models offer to organizations are undeniable, especially for optimizing critical operations and outputs. However, generative AI also comes with risk. According to the IBM Institute for Business Value, 96% of executives say adopting generative AI makes a security breach likely in their organization within the next three years.CISA Director Jen…

Q&A with Valentina Palmiotti, aka chompie

4 min read - The Pwn2Own computer hacking contest has been around since 2007, and during that time, there has never been a female to score a full win — until now.This milestone was reached at Pwn2Own 2024 in Vancouver, where two women, Valentina Palmiotti and Emma Kirkpatrick, each secured full wins by exploiting kernel vulnerabilities in Microsoft Windows 11. Prior to this year, only Amy Burnett and Alisa Esage had competed in the contest's 17-year history, with Esage achieving a partial win in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today