According to Jasper Manuel with Trend Micro, he and his team started to see a new generation of modified Zeus code based on the leaked source code. Known as Ice IX, the malware is being promoted as featuring protection from trackers.
”Also, the configuration file cannot be downloaded and analysed if the request is not from the bot, although this has subsequently been shown not to be the case”, says Manuel in his latest security posting.
“Recently, we have received another updated variant (detected as TSPY_ZBOT.IMQU) that we could say belongs to this new generation of Zeus variants. From its code, this sample is possibly generated by Zeus toolkit version 2.3.2.0”, he adds.
Manuel goes on to say that he believes this is a private version of a modified version of Zeus, created by a private professional gang comparable to the Licat variant of the malware – first seen in September/October of last year, Infosecurity notes.
“Though we have yet to see someone sell this new version of toolkit on underground forums, we expect that we will see more similar variants which will emerge in the not-so-distant future”, he says.
The Trend Micro threat specialist adds that current Zeus trackers may fail to decrypt its configuration file due to its updated encryption/decryption routine.
It's also worth mentioning, he says, that the new Zeus malware targets a wide selection of financial firms including those in Brazil, the US and several European countries.
“More interestingly, it targets HSBC Hong Kong, which suggests that this new Zeus variant may be used in a global campaign, which may already include Asian countries”, he notes.
“The emergence of these latest Zeus variants clearly implies that Zeus is still a very profitable piece of malware and that cybercriminals are continuously investing on the leaked source code”, he concludes.