UK Banks Hit With New Zeus Banking Trojan Attacks

Zeus, sometmes called ZBot is a banking Trojan that steals e-banking information and logs keystrokes

Two recent discoveries by IBM Security X-Force researchers indicate that the UK is seeing an increased wave of banking Trojan attacks from two families linked with the Zeus Trojan: Sphinx and Kronos. In the first case, X-Force researchers are the first to confirm that beyond seeing underground posts of cybercriminals selling a new Zeus variant dubbed Sphinx, this malware actually exists and is actively attacking banks in the wild.

Sphinx is commercial malware that is sold to anyone who will pay for it, which means its targets can vary quite a bit. The most current identified configuration is targeting several major U.K. banks and one Polish bank. IBM Security X-Force’s analysis of Sphinx shows it is, for the most part, a replica of Zeus v2 variants.

The second case has to do with the Kronos Trojan. Kronos is a known banking malware threat that emerged in mid-2014. Surprisingly, this malware has gone silent for the past few months and has just reemerged, showing no technical advancements but a change in turf that focuses on U.K. banks and one bank in India.

The U.K. is, and has been for many years, a preferred target for cybercrime because of its prosperous economy and strong adoption of Internet-based services for banking and payments. While the U.K. is already the most targeted area for banking Trojan malware configurations (per IBM Trusteer data), the past few months have shown more activity than usual. Banking Trojans such as Shifu, Zeus Sphinx and Kronos are configured to launch into action upon access to consumer, corporate and even wealth management accounts.

Zeus Sphinx is crimeware that emerged in underground fraud forums in late August 2015, offered for sale by a Russian-speaking vendor for $500 per binary — without a malware builder. This means that Sphinx’s vendor is not enabling fraudsters to independently generate new malware files. Fraudsters would have to buy a new variant generated by the vendor every time their current one gets detected as malicious by signature-based security solutions.

In a post-selling Sphinx to other cybercriminals, its vendor indicated the malware communicates via the anonymizing Tor network, making it harder to sinkhole, avoiding IP address-based blacklisting and keeping it off Zeus Trackers.
Zeus Sphinx is used for the theft of online banking authentication elements such as user credentials, cookies and certificates. These elements are subsequently used by fraudsters in illicit online transactions typically performed from the user’s own device. Connection to the endpoint is facilitated via back-connect hidden virtual network computing (VNC), which means the infected endpoint will initiate a remote-access connection to the criminal’s endpoint. This feature allows the attacker to gain user-grade access to the device even through firewall protection.

In most cases, Sphinx is configured to only harvest username and password combinations from the victim, both in a generic manner and when triggered by the websites users visit. The fraudsters that use this minimal configuration to test attack possibilities may be using the basic authentication or simply selling the harvested data to other criminals.
In some of the cases, Sphinx was specifically configured to further deploy web-injections with social engineering content designed to lure victims into divulging two-factor authentication (2FA) codes generated by a card reader.
Sphinx-enabled fraudulent transactions typically originate from the victim’s endpoint via VNC connection; this tactic is used in order to bypass device fingerprint-based security features.

While this Trojan can be sold to anyone, and thus configuration file contents can differ very much from one another, current variants of Sphinx target banks in the UK and Poland, as well as a popular online payments system.
The vendor’s post was simultaneously found in the underground by a few intelligence analysts, including IBM Security X-Force researchers, but at that time no security vendor was able to confirm that Zeus Sphinx was real or active in the wild.
This has now officially changed. By mid-September 2015, X-Force researchers found an actual Sphinx sample in the wild and confirmed that Zeus Sphinx not only exists, but is actively attacking online banking customers.

When browsing their bank’s website, Sphinx’s web-fakes redirection scheme seamlessly sends victims to a phishing page without seeing the URL change. Each client-side bot is designed to deploy with the minimal user privilege level; each user on the same endpoint can be attributed a different bot ID.

The author of the Sphinx variation has made sure to protect botnet communications with a unique encryption key. Traffic is encrypted with a self-signed SSL certificate in the same manner used by malware such as Dyre and Shifu.

Zeus Kronos

Right around the same time that Sphinx materialized and Shifu set its sights on the U.K., the Kronos banking Trojan returned from a hiatus, switching its configuration triggers to a list that distinctly focuses on U.K. banks.In a rather unusual occurrence, Kronos went silent for the past few months, shutting down the command-and-control servers that communicated with its infected botnets. As of September 2015, this has changed. Someone on the Kronos server side has flipped the lights back on, reconnecting with infected bots and sending them a brand new configuration file — only this time, it is attacking U.K. banks as well as one bank in India.

Kronos, banking malware named after the father of Zeus, emerged in underground cybercrime boards in mid-2014, when it was offered for sale by a Russian-speaking vendor to the cybercrime community for a whopping $7,000.
At first, there was no actual proof that the malware was indeed active in the wild, but by July 2014 it was clear that Kronos was primarily attacking banks in France.

Kronos samples analyzed by X-Force researchers in 2014 confirmed that the malware was a user-mode rootkit that could hook popular browsers, featuring the typical Trojan mechanisms designed to facilitate online banking fraud. Some of those features are:

•    Encrypted configuration file with URL targets and web injections;
•    Form grabbing to steal user credentials on the fly;
•    A Zeus-compatible web injection mechanism;
•    A VNC module to remotely control infected endpoints;
•    Hefty anti-research and anti-AV features.

New post-hiatus Kronos samples seem to operate in the exact same manner as they did before, indicating that the malware was not retired for development purposes. This is rather logical since Kronos is a commercial offering; it is therefore possible that its current operators are not actual developers who regularly make changes to their code to keep it stealthy over time.
For Kronos, the only behavioral change observed by IBM X-Force researchers is an unexpected crash of the Chrome browser on machines infected with the malware. This issue can stem from a difficulty Kronos may have with injecting into Chrome, making it crash accidentally. Or it could be deliberate in order to force infected users to browse via IE or Firefox, where all its web injections work properly.

Kronos’ Change of Turf

On top of changing its target list to focus on the UK, Kronos’ new configuration includes more strategic updates, including elaborate web injection schemes for some of the banks it targets. In new phishing-type injections, Kronos displays completely new Web pages to its victims, aiming to harvest their online banking credentials, telephone banking passwords and credit card information. At this time, Kronos is after personal banking accounts, likely spreading via email spam.

Fighting emerging threats like the Zeus Sphinx Trojan or evolving threats like Kronos is easy with malware detection solutions. With protection layers adapted to the ever-changing threat landscape, financial organizations can gain access to a malware intelligence network that provides real-time insight into fraudster techniques and capabilities.

Security Intelligence:

 

« Only A Short Time Before Cyber-Attack Hits Finance
Digital Currency Grows Up »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Energy Sec

Energy Sec

EnergySec is a United States 501(c)(3) non-profit corporation formed to support energy sector organizations with the security of their critical technology infrastructures.

Kirkland & Ellis

Kirkland & Ellis

Kirkland & Ellis LLP is an international law firm with offices in the USA, Europe and Asia. Practice areas include Data Security & Privacy.

Certes

Certes

Certes is a pioneer in delivering cutting-edge security technology solutions, with a specific focus on Data Protection Risk Mitigation (DPRM).

HYAS Infosec

HYAS Infosec

HYAS is a highly skilled information security firm developing the next generation of information security technology.

SecuGen

SecuGen

SecuGen is a leading provider of advanced, optical fingerprint recognition technology, products, tools and platforms for physical and information security.

Truepic

Truepic

Truepic provides technologies that prevent fraud, identity theft, misinformation, and disinformation caused by generative, manipulated, or deepfake digital content.

Hardenite

Hardenite

Hardenite solution helps R&D, DevOps and IT teams to continuously manage security risks and hardening efforts of any Linux OS – based product, throughout the product life cycle.

FutureCon Events

FutureCon Events

FutureCon produces cutting edge events aimed for Senior Level Professionals working in the security community, bringing together the best minds in the industry for a unique cybersecurity event.

Adarma Security

Adarma Security

Adarma are specialists in threat management including SOC design, build & operation.

INE

INE

INE is a premier provider of Technical Training for the IT industry.

Laminar

Laminar

Laminar provides the only Public Cloud Data Protection solution that provides full visibility and enforcement capabilities across your entire public cloud infrastructure.

CliftonLarsonAllen (CLA)

CliftonLarsonAllen (CLA)

CLA exists to create opportunities for our clients through industry-focused advisory, outsourcing, audit, tax, and consulting services.

AMSYS Innovative Solutions

AMSYS Innovative Solutions

AMSYS is a full-service, 24/7/365 IT solutions, Cybersecurity & Managed Service Provider.

Aleo

Aleo

Aleo is building the world's leading developer platform for enabling absolute privacy on blockchains.

Trustmarque

Trustmarque

Trustmarque delivers customer-centric IT solutions that enable better outcomes. We combine the technology, expertise and services to release value at every stage of the IT lifecycle.

Averlon

Averlon

Averlon offers organizations peerless cloud security through Panoptic Cloud Visibility, Predictive Attack Intelligence and Rapid Remediation.