Security experts have warned that one of the most notorious malware campaigns of all time could be making a return.
Last December, researchers at Proofpoint noticed email campaigns containing a new version of the infamous Zeus banking malware. Since the new year, the enterprise security firm has traced over 100 such campaigns with recipients in the United States, Canada, Germany, Poland and Australia.
First surfacing in 2006, Zeus uses web injects to steal credentials and other private information from users of targeted financial institutions. The malware can also steal browser-stored passwords and cookies, and uses the Virtual Network Computing (VNC) client it downloads to make illicit financial transactions from the user’s legitimate device.
In a blog post, Proofpoint noted how, like the original, Zloader uses a data structure known as the “BaseConfig” to store its initial configuration. It also deploys several anti-analysis mechanisms to make it hard to detect and reverse-engineer, including junk code, encrypted strings, Windows API function hashing, C&C blacklisting and repetitive obfuscation.
The campaign often uses lures such as warning the user of potential Coronavirus scams, or providing information about testing and treatment centres. They contain downloadable Word files or password-protected Excel sheets containing macros that download and execute the relevant version of Zloader.
Since 2006, 25 versions of the malware have been observed, but the current one appears to be a variation of one of the older versions, rather than the recent one in 2016-18. According to Proofpoint, the Zeus banking malware and its descendants have been a staple of the cyber crime landscape since 2006.