9 charged for stealing millions of dollars with Zeus Malware

The Zeus malware is one of the most damaging pieces of financial malware that has helped the culprits to infect thousands of business computers and capture passwords, account numbers and other information necessary to log into online banking accounts.

U.S. Department of Justice unsealed charges against nine alleged cyber criminals for distributing notorious Zeus malware to steal millions of dollars from bank accounts.

Vyachesla V Igorevich Penchukov, Ivan Viktorvich Klepikov, Alexey Dmitrievich Bron, Alexey Tikonov, Yevhen Kulibaba, Yuriy Konov Alenko, And John Does are charged to devise and execute a scheme and artifice to defraud Bank Of America, First Federal Savings Bank, First National Bank Of Omaha, Key Bank, Salisbury Bank & Trust, Union Bank And Trust, And United Bankshares Corporation, all of which were depository institutions insured by the Federal Deposit Insurance Corporation.

They are also accused to use Zeus, or Zbot, computer intrusion, malicious software, and fraud to steal or attempt to steal millions of dollars from several bank accounts in the United States, and elsewhere.

It has also been reported that defendants and their co-conspirators infected thousands of business computers with software that captured passwords, account numbers, and other information necessary to log into online banking accounts, and then used the captured information to steal millions of dollars from account-holding victims' bank accounts.

Account holding victims include Bullitt County Fiscal Court, Doll Distributing, Franciscan Sisters Of Chicago, Husker Ag, Llc, Parago, Inc., Town Of Egremont, And United Dairy...


They have also been given notice by the United States of America, that upon conviction of any defendant, a money judgment may be imposed on that defendant equal to the total value of the property subject to forfeiture, which is at least $70,000,000.00.

The United States of America has also requested that trial of the case be held at Lincoln, Nebraska, pursuant to the rules of this Court. The Metropolitan Police Service in the U.K., the National Police of the Netherlands’ National High Tech Crime Unit and the Security Service of Ukraine are assisting the investigation.

Variant of Zbot makes money for cybercriminals via pay-per-click ads


Zeus(ZBot) is the notorious trojan known for stealing login credentials associated with online banking, continues to evolve.

A new variant spotted by TrendMicro security researchers is doing totally different task than other variants.  This variant displays websites containing advertisements..

Every time user try do something on the infected machine, these websites will get occupied on the entire screen preventing user from accessing other windows or files.

Even though victim can access the desktop by pressing the 'show desktop' shortcut(win+d),  but the websites still being displayed in the background.

"It should be noted that the sites being displayed are all legitimate–running from gaming sites, ticketing sites, music sites to search engines." researcher said.

"Users can actually navigate these displayed sites. One curious feature of this malware is that it also performs various mouse movements and scrolling when the mouse is idle."

Interestingly, this variant doesn't include a module to steal banking credentials.  However, it achieves the main goal of stealing credentials - making money for cyber criminals.

64 bit version of notorious Zeus Trojan spotted by Kaspersky


As more number of people switch to 64bit version of OS,  Cyber criminals also started to write malware code that compatible with 64 bit.

It is not surprising to see the world's most notorious Banking Trojan Zeus also come up with new variants supporting 64bit.

Security researchers at Kaspersky spotted a 32-bit variant of Zeus malware containing 64bit version.  Researchers say 64-bit variant has already been in the wild around June with compilation date on April 2013.

This new variant has ability to communicate with its command and control(C&C) server via Tor Network.
 
A number of 64-bit users comparing to 32-bit users is very low.  Then, what is the need of developing 64bit supported variants?!

Researchers believe that it might be marketing technique to attack buyers or the ground work for some future needs.

Opera Internal network hacked, Thousands of users hit with malicious updates

Hackers breached the Opera Internal network infrastructure and managed to compromise expired Opera code signing certificate.

The cybercriminals used the certificate to sing their malware and distributed the malicious software to thousands of Opera users through automated update function.

The malware is currently detected by half of the antivirus engines used by the virus total scanner.  According to VirusTotal report, the malware appears to be the Zeus Trojan.


The malware is able to steal stored credentials from browsers including Opera, Thunderbird, Chrome, Firefox, FileZilla, according to Avira malware report. It also downloads additional malware files.

Opera users are advised to update to the latest version of Opera as soon as it is released.

According to the official blog post, the organization come to know about the security breach on June 19th.  The company claimed that their systems have been cleaned and there is no evidence of user data have been compromised.

#Eurograbber Campaign - Trojan steals $47 Million from 30k European Bank accounts

Eurograbber Banking Trojan

A highly sophisticated cybercriminal campaign , dubbed as "Eurograbber" , enabled criminals to steal more than $47 million (€36 million) from more than 30,000 bank accounts belong to corporate and individuals across Europe.

The finding comes from a case study published by Security firm Check Point and online fraud prevention solutions provider Verasafe .

According to the case study, the attack began in Italy, and soon after, tens of thousands of infected online bank customers were detected in Germany, Spain and Holland.

The campaign starts when a victim unknowingly clicks a malicious link in a spam email or possibly through general web surfing. Clicking on the link directs them to a site that attempts to drop the Banking Trojan - a malware that steals Bank login credentials.

The next time the victim logs in to their bank account , the Trojan intercepts the session and displays fake banking page that informs the customer of the “security upgrade” and instructs them on how to proceed.

The page recommend user to input their smartphone OS and phone number. Once victim gave the phone details, the Eurograbber Trojans sent SMS with a link to a fake "encryption software"- in fact, it is "Zeus in the mobile" (ZITMO) virus.

Once the Eurograbber are installed on the victims' PC and smartphone, the trojan lays dormant until the next time the customer accesses their bank account. When victim log in , immediately it transfers victim's money to criminals' account.

The Trojan then intercepts the confirmation text message sent by the bank, forwarding it to C&C server via a relay phone number. The server uses the message to confirm the transaction and withdraw the money.

ZeuS 2.x comes with Ransomware Feature

The recent popularity of ransomware has resulted in an unexpected malware combination. F-Secure researchers have recently spotted a new Zeus 2.x variant that includes a ransomware feature.

When this particular variant is executed, it opens Internet Explorer with a specific page (lex.creativesandboxs.com/locker/lock.php) and prevents the user from doing anything else with the infected system. The webpage that was opened presumably showed some type of extortion message, but it's currently unavailable because the site is offline.

The most straightforward way to unlock the system is to simply delete the trojan. This can be a bit tricky since the trojan prevents doing anything with the infected system, luckily the locking itself can be easily disabled first.

After disassembling the malware, researcher found that the unlock information is stored to the registry. So it is possible to unlock without paying the ransom.

part of Disassembled code

 Unlocking can be performed quite easily with a registry editor:

1. boot the system in safe mode
2. add a new key named syscheck under HKEY_CURRENT_USER
3. create a new DWORD value under the syscheck key
4. set the name of the new DWORD value to Checked
5. set the data for the Checked value to 1
6. reboot


Trojan Neloweg operates similar to Zeus and steals Bank details

Symantec researchers currently tracking a banking Trojan called Trojan Neloweg.  According to their research, the threat has been localized to Europe.  This Trojan steals login credentials of infected users including banking data.

Neloweg operates similar to notorious banking Trojan Zeus. Like Zeus, Trojan.Neloweg can detect which site it is on and add custom JavaScript. But while Zeus uses an included configuration file, Trojan.Neloweg stores this on a malicious webserver.

Once a particular banking page has been matched, Trojan.Neloweg will cover part of the page in white, using a hidden DIV tag, and execute custom JavaScript located on the malicious server

Neloweg infection

The browser of Infected system can function like a bot and accept commands. It can process the content of the current page that it is on, redirect the user, halt the loading of particular pages, steal passwords, run executables, and even kill itself. Unfortunately the kill function is a bit excessive, and deletes critical system files, which in turn prevent users from logging in properly.

Citadel banking Trojan developed as open source Malware

a few weeks ago, Security researcher Brain Krebs reported about Citadel Trojan, a new variant of Banking Trojan Zeus. According to the Seculert analysis, Malware authors created a social network that enables the customers of Citadelto suggest a new features and modules to the malware, report bugs and other errors in the system, comment and discuss related issues with fellow customers.

"Seculert's Research Lab discovered the first indication of a Citadel botnet on December 17th, 2011."Seculert posted in their blog."The level of adoption and development of Citadel is rapidly growing, and since then Seculert has identified over 20 different Citadel botnets."

Each version of the malware added new modules and features, some of which were submitted by the Citadel customers themselves.

They have included the following features in their malware: AES Encryption ,Avoiding Trackers Detection,Security vendors websites blacklist ,Trigger-based Video Recording.

Similar to legitimate software companies, the Citadel authors provide their customers with a User Manual, Release Notes and a License Agreement

"By looking at the developments in the software world, the open-source model may be well accepted in the cybercrime ecosystem as well" Seculert believes that the success of this Trojan could drive other malware writers to adopt the open-source model.

New Variant of Zeus Malware "Game Over" delivered via Phishing Emails

A spam mail that purporting from National Automated Clearing House Association (NACHA), the Federal Reserve Bank, or the Federal Deposit Insurance Corporation (FDIC) and claims there is problem with your recent Transaction. If recipients needs help, the mail ask them to visit a link. The link leads to a Phishing page. Once recipient visit the link, Without the knowledge of Victim, the page download a malware "Game Over" and infects the victim's system.

The Malware is newer variant of ZeuS malware that steals your Confidential data related to Bank. Not only the malware steals the data but also make your computer as Botnet Slave.  A botnet slave can be used to attack a website with Distributed Denial of Service(DDOS).

According to Fbi report, the attackers used the stolen bank information to purchase of precious stones and expensive watches from high-end jewelry stores.

"The criminals contact these jewelry stores, tell them what they’d like to buy, and promise they will wire the money the next day. So the next day, a person involved in the money laundering aspect of the crime—called a “money mule”—comes into the store to pick up the merchandise. After verifying that the money is in the store’s account, the jewelry is turned over to the mule, who then gives the items to the organizers of the scheme or converts them for cash and uses money transfer services to launder the funds." Report says.

Fbi see an increasing number of unsuspecting mules hired via “work at home” advertisements who end up laundering some of the funds stolen from bank accounts. The CyberCriminals send e-mail to those who search for a Online jobs. The hired employees are provided long and seemingly legitimate work contracts and actual websites to log into. They’re instructed to either open a bank account or use their own bank account in order to receive funds via wire and ACH transactions from numerous banks…and then use money remitting services to send the money overseas.

If you think you’ve been victimized by this type of scheme, contact your financial institution to report it, and file a complaint with the FBI’s Internet Crime Complaint Center.

New Variant of Ramnit Worm hijacks 45,000 Facebook Accounts

A worm called Ramnit recently started targeting Facebook accounts with considerable success, stealing over 45,000 Facebook login credentials, reported by Seculert Researchers.

Ramnit at Past:
This worm discovered in April 2010, at first it was infecting Windows Executable as well as HTML files. Also it steals stealing sensitive information such as stored FTP credentials and browser cookies.

In July 2011 a Symantec report that Ramnit worm is responsible for 17.3 % of all new malicious software infections.

In August 2011, Trusteer named Ramnit as "Hybrid Creatures" that capable of doing Ramnit infection and the ZeuS financial data-sniffing capabilities.(Ramnit+ZeuS)

According to their report, around 800,000 Machines infected Ramnit from September to end of December 2011.

Recent Attack:
Recently, A new 'financial' Ramnit variant aimed at stealing Facebook login credentials worldwide, mostly from people in the UK and France. Since the Ramnit Facebook command and control (C&C) URL is visible and accessible , researchers are able to determine the precise number of Facebook victims it has made so far.
Ramnit.C Facebook Infection Distribution By Country

CyberCriminals will try to use this stolen  accounts to spread the worm in facebook.  Seculert has provided Facebook with all of the stolen credentials that were found on the Ramnit servers.