Cybercriminals using the notorious Zeus crimeware kit have expanded its use case beyond the harvesting of banking info to DDoS campaigns and customized attacks on cloud providers, according to a new report.
In a threat advisory with a risk rating of 'high', Akamai company Prolexic explained that although Zeus has become “the most used and most effective crimeware kit ever observed”, up until now it has been mainly used to covertly harvest banking data.
However, the firm warned that cybercriminals are now pairing it with popular DDoS toolkits such as Dirt Jumper variant Drive, to launch large scale DDoS attacks.
Specifically, Zeus is used to build the botnets and then drop the DDoS malware payloads like Dirt Jumper onto infected machines.
“Although Zeus/Gameover version reportedly introduced DDoS capabilities, PLXSert has no evidence that the Zeus framework kit can orchestrate significant DDoS campaigns by itself, but if combined with other DDoS toolkits, the capabilities of the Zeus framework would enable malicious actors to use it as a powerful DDoS botnet builder,” the report said.
The Zeus source code leak has made it possible for the cyber criminal underground to build customized payloads that extend beyond its traditional focus on banking data, Prolexic also claimed.
“The targeting of SaaS/PaaS instances is particularly favoured by criminals because these platforms are a gateway to abuse and allow attackers to exploit cloud vendors that have extensive bandwidth and processing power,” the firm revealed.
Webinjects in particular are favoured by Zeus attackers, targeted at specific web apps to grab user log-ins and other useful information.
Prolexic urged organizations to mitigate these new Zeus threats with policies that stress the importance of user education and up-to-date patching. It also argued that follow-up efforts are vital after botnet takedowns to reduce the number of C&C centers.
It warned that Zeus will undergo further customization in the future including the creation of hybrid payloads from other crimeware toolkits.