The tale of the ever-evolving Zeus trojan and its variants
- Zeus is distributed primarily via spam campaigns, phishing campaigns, and drive-by-downloads.
- Zeus had compromised over 74,000 FTP accounts on websites of companies such as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek.
Zeus, also known as Zbot, is a trojan that steals system information, account credentials, and banking information from compromised systems. The trojan was first spotted in 2007 when it compromised the United States Department of Transportation. Zeus is distributed primarily via spam campaigns, phishing campaigns, and drive-by-downloads.
What are its capabilities - Zeus trojan’s capabilities include stealing credentials, downloading and executing additional files, deleting system files, shutting down or rebooting the compromised systems.
Zeus Trojan automatically collects any Internet Explorer, FTP, or POP3 credentials that are contained within Protected Storage (PStore). Zeus primarily collects information by monitoring websites included in the configuration file, intercepting the legitimate webpages, and manipulating the webpages to add additional data fields.
Zeus family trojans
Some of the Trojans of the Zeus family includes Gameover, SpyEye, Ice IX, Citadel, Atmos, Carberp, Bugat, Shylock, Torpig, Panda Banker, Sphinx, and Neutrino.
Zeus linked to ‘Rock Phish group’
In 2009, Zeus trojan infected nearly 154,000 computers and primarily targeted the United States, followed by Japan, Great Britain, Australia, Canada, Germany, Russia, Netherlands, Italy, and India.
Initially, Zeus was suspected to be linked to the “Rock Phish” threat group that targets financial institutions across the globe.
Zeus compromised 74000 FTP accounts
In June 2009, Zeus had compromised over 74,000 FTP accounts on websites of companies such as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek.
Zeus trojan linked with Citadel, Atmos, and SpyEye
In 2013, Zeus code was used to develop the Citadel malware. In 2016, researchers analyzed the Atmos malware that targeted banks in France and confirmed that Atmos is part of the Zeus trojan.
Slavik, the author of Zeus promoted his malware in the underground forums and sold Zeus source code to the SpyEye author Gribodemon aka Harderman.
Trojan.Bolik.1, Cryptolocker uses Zeus
In June 2016, Trojan.Bolik.1 targeted Russian banks. This trojan borrowed web injection from Zeus to steal banking credentials. In addition to this, Zeus has been used to install the infamous ransomware CryptoLocker.
Zeus distributed via phishing emails
In June 2016, a phishing campaign disguised as shipping notification from FedEx targeted users credentials. The phishing emails included malicious PDF attachment. The malicious attachment when opened distributed Fareit malware and Zeus trojan.
Zeus variant Panda Banker
In 2016, a new variant of the Zeus trojan dubbed ‘Panda’ or ‘Panda Banker’ was spotted targeting online banking services in Europe, North America, the U.K., Germany, the Netherlands, Poland, Canada, the U.S. Zeus Panda targets online payments, prepaid cards, airline loyalty programs, online betting accounts, and more.
Panda Banker targets Brazilian banks
After targeting Europe and North America, Zeus Panda shifted its focus towards Brazil. In July 2016, Panda targeted Brazilian banks and other online banking services. It targeted websites of local law enforcement, network security hardware vendors, Brazilian e-commerce loyalty programs and Boleto payments.
Zeus variant Sphinx
Another new variant of the Zeus trojan dubbed ‘Sphinx’ targeted online banking services and Boleto payments services in Brazil and Colombia.
Zeus distributed via MSG file attachments
In October 2016, a phishing campaign disguised as tax notification from Canada Revenue Agency targeted users’ banking credentials. The phishing emails included a malicious MSG file attachment that would download the Terdot downloader, which drops the Zeus trojan.
Floki Bot malware came from Zeus
According to a report published by Cisco Talos and Flashpoint, Floki bot malware is based on the source code that came from Zeus trojan. Researchers analyzed Floki bot malware and confirmed that Floki Bot is based on the Zeus trojan, which had its source code leaked in May 2011.
Zeus targets Firefox with Mozilla Font Pack
In May 2017, a new social engineering attack targeted Chrome users and Firefox users with Chrome font pack and Mozilla font pack. This attack campaign delivers Zeus trojan. This spam campaign tricks users into getting to a specific page that states an alert that ‘The HoeflerText font was not found’ and that they need to update the ‘Mozilla Font Pack’. Upon clicking the ‘Update’ button to update the Mozzila font pack, Zeus trojan gets executed.
Zeus variant Neutrino
In July 2017, another new variant of Zeus dubbed ‘Neutrino’ was spotted targeting credit card information from Point-of-Sale systems. Zeus Neutrino’s capabilities include downloading files, taking screenshots, searching processes by names, changing register branches, scanning for files by infected host names, and running proxy commands.
Zeus variants targeted victims during holidays
Zeus Panda targeted online shopping sites for credit card information during the Christmas holidays in 2017.
In January 2018, attackers launched a cyber attack using the official website of a Ukraine-based accounting software developer to distribute a new variant of Zeus over a Ukrainian holiday.
Zeus Panda’s three campaigns
In May 2018, researchers observed Zeus Panda’s three campaigns. The first campaign targeted the cryptocurrency exchanges, The second campaign targeted e-commerce, entertainment, and social media platforms such as Amazon, Facebook, Twitter, Instagram, MSN, Bing.com, YouTube, Flickr, Microsoft, Gmail, Yahoo, and Japanese adult sites. The third campaign targeted financial organizations in the US and Canada including Wells Fargo and CitiBank.
Zeus Panda spreading via Emotet
In October 2018, Zeus Panda was spotted distributed via the Emotet banking malware’s distribution platform and targeted victims in the US, Canada, and Japan. Its primary goal was stealing credit card data, bank account information, and online wallets.