The newest version of Zeus has just hit the scenes, and now it’s after your webcam, so says fresh research from the boys down at Kaspersky Lab.
The malware, known as Chthonic, weasels its way onto machines running Windows XP, 7, and 8.1, and hooks into software designed to handle the permissions for your webcam and microphone.
“The attachment contains a specially crafted RTF document, designed to exploit the CVE-2014-1761 vulnerability in Microsoft Office products,” Kaspersky Lab explains. Once downloaded and running, the malicious code, which contains an encrypted configuration file, injects itself into a msiexec process, and a number of malicious modules are unpacked and installed on the machines.”
For now it seems the hackers behind Chthonic have been focusing on smaller, local banks in Russia, Japan, UK, Spain, and the US, though Italy and France also looked to be big targets for the financially motivated campaign.
“Chthonic is the next phase in the evolution of ZeuS. It uses Zeus AES encryption, a virtual machine similar to that used by ZeusVM and KINS, and the Andromeda downloader – to target ever more financial institutions and innocent customers in ever more sophisticated ways,’ he added.
The malware has proven especially hard to detect and root out thanks to a new piece of code, which reroutes detection methods, and injects a script that instead makes the whole operation appear like a glitch in the account statements of a single account.
This way, instead of alerting the cybersecurity team, a single banker will simply correct the error manually, and continue about their day as normal as if the system was never compromised in the first place.
“The discovery of Chthonic confirms that the ZeuS Trojan is still actively evolving,” said Yury Namestnikov, senior malware analyst at Kaspersky Lab and one of the researchers who investigated the threat. “Malware writers are making full use of the latest techniques, helped considerably by the leak of the ZeuS source code.”
Luckily, Kaspersky believes that many banks have inadvertently made themselves impervious to Chthonic by updating the way their employees open and read emails on the internal system, and creating a divide between those two parts of the whole.
By splitting up personal accounts from those used in a professional setting, both Italian and Russian bankers in particular have been able to avoid many of the problems and sinkholes that can usually catch them up at the wrong time.
For the general public however, the prognosis doesn’t look as optimistic. Chthonic can still dig its claws into anyone who opens the infected attachment without scanning it first. From there it can do everything from redirecting them to dodgy phishing scam sites, and even create entirely new webpages designed specifically to lift details off their machine through a sophisticated network of keyloggers and screenshot swipers.
Zeus has proven itself as one of the harder nasties to wipe out, constantly being updated, tweaked, and refined to fit the needs of dozens of different criminal gangs for a bevvy of clandestine purposes.