Zeus Evolves Into Fresh Variant, the Chthonic

Kaspersky the security company has just detected one fresh banker Trojan given the name Trojan-Banker.Win32.Chthonic.

Seemingly, Chthonic has evolved from ZeusVM while going through several significant developments. The Trojan utilizes an encryptor which is an identical one for Andromeda bots, an encoding system that is same for ZeusV2 and Zeus AES Trojans, as well as one virtual device same as which KINS and ZeusVM malicious programs use.

As accords to Kaspersky, there are many ways for contaminating host computers with Trojan-Banker.Win32.Chthonic. These are taking down the malware onto the hosts with the aid of Andromeda bot; or dispatching spam mails consisting of exploits.

While dispatching e-mails consisting an exploit, one suitably designed RTF document is attached that would abuse a Microsoft Office vulnerability named CVE-2014-1761. The document is suffixed with .DOC extension so it does not raise suspicion for the recipient. If the vulnerability is successfully exploited, an installer for the 'Chthonic' malware is downloaded onto the host machine.

Bot Andromeda would pull down the installer obtainable via the hxxp://globalblinds.org/BATH/lider.exe.

When pulled down, harmful code, which has one configuration file that is encrypted, gets inserted inside msiexec.exe name of a process alongside which several malevolent software get planted onto the host.

Hitherto, the software programs which Kaspersky Lab researchers found are those which garner system information, log keystrokes, capture saved passwords, record sound and image via web microphone and camera, and facilitate remote access.

Chthonic that targeted Japanese banks within one case concealed the bank's alerts while inserted one script enabling perpetrators towards executing different fraudulent transactions via accounts compromised on the infected computers. Similarly, Russian banks when targeted in another instance entailed fake banking web-pages to affected account owners when they would login. For that, the Trojan would formulate one iframe alongside one phished site mimicking the original banking website.

Senior Malware Analyst Yury Namestnikov at Kaspersky remarked that Chthonic's discovery substantiated Zeus Trojan's continued evolution. Malware authors were maximally utilizing the latest tactics aided hugely from leakage of Zeus code. Chthonic, according to Namestnikov, was the successive stage of Zeus' evolution. Cbronline.com reported this dated December 18, 2014.

» SPAMfighter News - 12/26/2014