Zeus just won’t give up. According to SecurityWeek, there’s a new variant of successful Zeus-derivative Citadel on the market. It’s called Atmos and has been described by Danish security firm Heimdal as Citadel’s “polymorphic successor.”

With a combination of familiar tactics and new attack vectors, this Zeus banking Trojan may require a Herculean effort to detect — and remove — from targeted systems.

Olympian Lineage

The original Citadel infection compromised more than 11 million computers worldwide and was responsible for over $500 million in losses, SecurityWeek reported. Its creator, Dimitry Belorossov, was sentenced to 54 months in prison, and Citadel largely disappeared off the malware map.

A new strain of the same lineage has emerged in the form of Atmos. So far, Heimdal has detected more than 1,000 bots attacking the same target: French financial institutions. Atmos uses some of the same tricks seen in its progenitor, such as webinjections that modify a browser’s view of Web pages and can alter transaction details.

The result? Victims believe they’re carrying out run-of-the-mill online activities but are instead transferring money into an attacker-controlled bank account. Making this new Zeus banking Trojan more worrisome is the addition of polymorphic code, which lets it evade detection and cover its tracks in a system. Even when found, it’s difficult to know how long Atmos has been running amok.

Fighting Gods

The growth of large-scale, brute-force malware has largely plateaued. Now attackers are looking for high-value targets they can infect without detection and exploit over a period of months or years. For example, We Live Security recently reported on USB-based malware that inserts itself into applications’ command chain and employs self-protection techniques such as the use of AES-128 encryption and cryptographic file names.

Atmos also makes it difficult to fight back against its divine pedigree. Threatpost noted the code is tied to configuration servers in multiple countries including Canada, the U.S., Russia and Turkey. In addition, there’s no single attack vector for Atmos — infections have come through banner ads, booby-trapped websites and phishing attacks.

It gets worse: After the malware has altered Web browsers and scraped victim machines for data or credentials, it deploys a Teslacrypt-based ransomware attack to extract even more money. Researchers suspect that the attacks in France are part of a testing phase; once the Atmos creators have worked out the bugs, they’ll likely go global.

Thwarting the Zeus Banking Trojan

Protection isn’t an easy task against this Zeus banking Trojan. Good password management helps, and it is critical for financial institutions to verify all transactions after an infection is discovered, but there’s no silver bullet for Atmos. For the moment, security teams face the Herculean task of fighting divine progeny.

More from

Data never dies: The immortal battle of data privacy

4 min read - More than two hundred years ago, Benjamin Franklin said there is nothing certain but death and taxes. If Franklin were alive today, he would add one more certainty to his list: your digital profile. Between the data compiled and stored by employers, private businesses, government agencies and social media sites, the personal information of nearly every single individual is anywhere and everywhere. When someone dies, that data becomes the responsibility of the estate; but what happens to the privacy rights…

Vulnerability resolution enhanced by integrations

2 min read - Why speed is of the essence in today's cybersecurity landscape? How are you quickly achieving vulnerability resolution? Identifying vulnerabilities should be part of the daily process within an organization. It's an important piece of maintaining an organization’s security posture. However, the complicated nature of modern technologies — and the pace of change — often make vulnerability management a challenging task. In the past, many organizations had to support manual integration work to get different security systems to ‘talk’ to each…

How I got started: SIEM engineer

3 min read - As careers in cybersecurity become increasingly more specialized, Security Information and Event Management (SIEM) engineers are playing a more prominent role. These professionals are like forensic specialists but are also on the front lines protecting sensitive information from the relentless onslaught of cyber threats. SIEM engineers meticulously monitor, analyze and manage security events and incidents within an organization. They leverage SIEM tools to aggregate and correlate data, enabling them to detect anomalies, identify potential threats and respond swiftly to security…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…