A new variant of the Zeus banking trojan has emerged, dubbed Neutrino, which is custom-made to collect credit card information from point-of-sale systems, among other things.
“From time to time authors of effective and long-lived trojans and viruses create new modifications and forks of them, like any other software authors,” said Sergey Yunakovsky, a Kaspersky Lab researcher, in a posting. “One of the brightest examples amongst them is Zeus, which continues to spawn new modifications of itself each year. In a strange way this malware becomes similar to his prototype from Greek mythology.”
Neutrino first takes a long “sleep” before it starts, to avoid AV sandboxes, and then connects to a C&C server. It can download and start files; make screenshots; search processes by name; change register branches; search files by name on infected host and send them to C&C; and run proxy commands.
To steal payment card information, it searches the memory pages of the process, and collects information for strings “Track1” and “Track2”, which mark fields contained in the tracks of the magnetic card stripe.
Kaspersky found that the largest areas of infection are Russia and Kazakhstan—and nearly 10% of infected computers belong to small business corporate customers.
“Despite belonging to an old, well-known and researched family, [Zeus variants] continue to bring various surprises to malware analysts and researchers in the form of atypical functionality or application,” said Yunakovsky. “We can see the same situation with Mirai forks, for example, which generate an enormous count across all platforms and in different species.”
He added, “Generally speaking, all publications of malware source code with good architecture and various functionality will cause interest and attention from malware authors, who will try to use it for nearly all possible ways of illegal money gain. We can assume that right now there may already be new modifications of Neutrino with functionality for crypto-currency mining.”