New Polymorphic Zeus Banking Trojan Demands Herculean Response

April 14, 2016 @ 11:30 AM
| |
2 min read

Zeus just won’t give up. According to SecurityWeek, there’s a new variant of successful Zeus-derivative Citadel on the market. It’s called Atmos and has been described by Danish security firm Heimdal as Citadel’s “polymorphic successor.”

With a combination of familiar tactics and new attack vectors, this Zeus banking Trojan may require a Herculean effort to detect — and remove — from targeted systems.

Olympian Lineage

The original Citadel infection compromised more than 11 million computers worldwide and was responsible for over $500 million in losses, SecurityWeek reported. Its creator, Dimitry Belorossov, was sentenced to 54 months in prison, and Citadel largely disappeared off the malware map.

A new strain of the same lineage has emerged in the form of Atmos. So far, Heimdal has detected more than 1,000 bots attacking the same target: French financial institutions. Atmos uses some of the same tricks seen in its progenitor, such as webinjections that modify a browser’s view of Web pages and can alter transaction details.

The result? Victims believe they’re carrying out run-of-the-mill online activities but are instead transferring money into an attacker-controlled bank account. Making this new Zeus banking Trojan more worrisome is the addition of polymorphic code, which lets it evade detection and cover its tracks in a system. Even when found, it’s difficult to know how long Atmos has been running amok.

Fighting Gods

The growth of large-scale, brute-force malware has largely plateaued. Now attackers are looking for high-value targets they can infect without detection and exploit over a period of months or years. For example, We Live Security recently reported on USB-based malware that inserts itself into applications’ command chain and employs self-protection techniques such as the use of AES-128 encryption and cryptographic file names.

Atmos also makes it difficult to fight back against its divine pedigree. Threatpost noted the code is tied to configuration servers in multiple countries including Canada, the U.S., Russia and Turkey. In addition, there’s no single attack vector for Atmos — infections have come through banner ads, booby-trapped websites and phishing attacks.

It gets worse: After the malware has altered Web browsers and scraped victim machines for data or credentials, it deploys a Teslacrypt-based ransomware attack to extract even more money. Researchers suspect that the attacks in France are part of a testing phase; once the Atmos creators have worked out the bugs, they’ll likely go global.

Thwarting the Zeus Banking Trojan

Protection isn’t an easy task against this Zeus banking Trojan. Good password management helps, and it is critical for financial institutions to verify all transactions after an infection is discovered, but there’s no silver bullet for Atmos. For the moment, security teams face the Herculean task of fighting divine progeny.

Douglas Bonderud
Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and innovation. In addition to working for...
read more