Skip to content ↓ | Skip to navigation ↓

Researchers have detected a new banking Trojan that is said to be targeting more than 450 financial institutions worldwide, and which combines functionalities previously seen in the infamous Zeus and Carberp malware families.

The new malware variant, dubbed the Zberp Trojan by the researchers, has the ability to exfiltrate information from infected systems, take screenshots and send them to servers under the attackers control, compromise SSL certificates and keylog information entered into online forms, harvest FTP and POP3 credentials, inject malicious content and hijack brwosing sessions, among other abilities.

Carberp is a sophisticated, modular and persistent malware utilizing advanced obfuscation techniques to evade detection, removal and has the ability to defeat antivirus programs. It also offers malware developers the ability to customize the malicious package statically as well as dynamically via a remote command and control server.

The Zeus Trojan is widely hailed as one of the most dangerous pieces of malware to ever surface in the wild, and the malicious code continues to proliferate. Zeus can lay dormant for long periods of time and can target sensitive information like banking account credentials and authentication codes.

The source code for the Zeus Trojan was leaked into underground forums several years ago, and the Zberp code is seen to use certain Zeus aspects to evade detection, such as steganography to to send configuration updates, and also employs system hooking techniques seen in the Carberp malware.

“Since the source code of the Carberp Trojan was leaked to the public, we had a theory that it won’t take cybercriminals too long to combine the Carberp source code with the Zeus code and create an evil monster,” researchers Martin Korman and Tal Darsan wrote of the new malware variant. “It was only a theory, but a few weeks ago we found samples of the ‘Andromeda’ botnet that were downloading the hybrid beast.”

Zberp also uses an “invisible persistence” feature seen in other recent Zeus variants which enables the malware to delete its persistence key from the registry when Windows starts up, effectively preventing antivirus solutions from detecting it when the system boots up, and then rewrites the persistence key back to the registry at the time of system shutdown.

“According to a Virus-Total scan, the Zberp Trojan was able to evade most anti-virus solutions when it was first detected,” the researchers said.

Read More Here…