The wrinkle in this version is the combination of a legitimate digital signature, rootkit and malware component.
“Malware with a valid digital signature is an extremely dangerous situation,” said Comodo researchers, in a blog. “A digital signature assures browsers and antivirus systems that a file is legitimate and not a threat. Versions of Zeus have been around for several years, but with a valid digital certificate antivirus systems are much less likely to take action or will give lower levels of warning.”
The Comodo team has found more than 200 unique hits for the variant so far. The perpetrators are casting a wide net, primary through infected web page components or through email phishing. The phishing emails appear to be from a trusted source, such as a major bank.
As with other Zeus attacks, this variant launches a man-in-the-browser (MitB) attack. The hackers are sent information required to create a remote session where they can see exactly what the victim is doing and interfere with their actions without their knowledge.
“For example, if the attack victim goes to an online banking site to perform a transaction, such as transferring funds, they see everything as occurring normally,” Comodo researchers said. “The payment information they keyed will display as expected, but behind the scenes the hackers will alter the transaction and send it to another account with possibly a larger amount.”
The hackers work with “Money Mules” who establish bank accounts using false credentials and receive a commission for handling ill-gotten gains.
There are three components to this particular attack. The downloader is delivered to the user system by an exploit or an attachment in a phishing email. It will download the rootkit and malware component of the attack. Then, the malware is a data stealer, the program that will steal valuable user data, login credentials and credit card info that the user keys into a web form. A rootkit hides the installed malware component, protecting it from detection and removal.
“What is alarming about this is that the file is digitally signed with a valid certificate, making it appear trustworthy at first glance,” explained Comodo. “It attempts to trick the user into executing it by presenting itself as some type of Internet Explorer document, including an icon similar to the Windows browser.”