Trend Micro is tracking that ZBOT variants surged in the beginning of February and continued to be active up to this month, and peaked during the middle of May. These malware are designed to steal online credentials from users, which can be banking credentials/information or other personally identifiable information (PII).
“What we can learn from ZeuS/ZBOT’s spike in recent months is simple: old threats like ZBOT can always make a comeback because cybercriminals profit from these,” the security firm said in its TrendLabs blog. “Peddling stolen banking and other personal information from users is a lucrative business in the underground market. Plus, these crooks can use your login credentials to initiate transactions in your account without your consent.”
This year’s model is also making some changes. For instance, early-generation ZBOT variants create a folder in a computer's System folder, where they would save the stolen data and configuration file. Users can also find a copy of it there. And, these ZBOT versions modify the Windows hosts file to prevent users from accessing security-related websites.
New ZBOT variants share DNA with Citadel or GameOver variants, and were observed to create two random-named folders in the Applications Data folder. One folder contains the copy of the ZBOT folder while the other contains encrypted data. Unlike earlier version, the mutex name is randomly generated.
Both variants send DNS queries to randomized domain names. The difference in the GameOver variant is that it opens a random UDP port and sends encrypted packets before sending DNS queries to randomized domain names, Trend Micro found.
Users, as always, should be careful in opening email messages or clicking links, and should bookmark trusted sites and avoid visiting unknown ones. In addition, users should always keep systems up-to-date with the latest security releases from vendors and install trusted anti-malware protection.
“In our 2013 Security Predictions, we predicted that cybercrime will be characterized by old threats resurfacing, but with certain refinements and new features in tow,” Trend Micro said. “The 1Q of the year proved this thesis, as seen in threats like CARBERP and Andromeda botnet. We can now include the data-stealing malware ZeuS/ZBOT to this roster of old-but-new threats.”