Zeus just won’t give up. According to SecurityWeek, there’s a new variant of successful Zeus-derivative Citadel on the market. It’s called Atmos and has been described by Danish security firm Heimdal as Citadel’s “polymorphic successor.”

With a combination of familiar tactics and new attack vectors, this Zeus banking Trojan may require a Herculean effort to detect — and remove — from targeted systems.

Olympian Lineage

The original Citadel infection compromised more than 11 million computers worldwide and was responsible for over $500 million in losses, SecurityWeek reported. Its creator, Dimitry Belorossov, was sentenced to 54 months in prison, and Citadel largely disappeared off the malware map.

A new strain of the same lineage has emerged in the form of Atmos. So far, Heimdal has detected more than 1,000 bots attacking the same target: French financial institutions. Atmos uses some of the same tricks seen in its progenitor, such as webinjections that modify a browser’s view of Web pages and can alter transaction details.

The result? Victims believe they’re carrying out run-of-the-mill online activities but are instead transferring money into an attacker-controlled bank account. Making this new Zeus banking Trojan more worrisome is the addition of polymorphic code, which lets it evade detection and cover its tracks in a system. Even when found, it’s difficult to know how long Atmos has been running amok.

Fighting Gods

The growth of large-scale, brute-force malware has largely plateaued. Now attackers are looking for high-value targets they can infect without detection and exploit over a period of months or years. For example, We Live Security recently reported on USB-based malware that inserts itself into applications’ command chain and employs self-protection techniques such as the use of AES-128 encryption and cryptographic file names.

Atmos also makes it difficult to fight back against its divine pedigree. Threatpost noted the code is tied to configuration servers in multiple countries including Canada, the U.S., Russia and Turkey. In addition, there’s no single attack vector for Atmos — infections have come through banner ads, booby-trapped websites and phishing attacks.

It gets worse: After the malware has altered Web browsers and scraped victim machines for data or credentials, it deploys a Teslacrypt-based ransomware attack to extract even more money. Researchers suspect that the attacks in France are part of a testing phase; once the Atmos creators have worked out the bugs, they’ll likely go global.

Thwarting the Zeus Banking Trojan

Protection isn’t an easy task against this Zeus banking Trojan. Good password management helps, and it is critical for financial institutions to verify all transactions after an infection is discovered, but there’s no silver bullet for Atmos. For the moment, security teams face the Herculean task of fighting divine progeny.

More from

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…