Detected 64 bit ZeuS banking trojan using Tor network

10:00 ET, 13 December 2013

Security researchers at Kaspersky Lab have detected a 64-bit Zeus banking trojan version enhanced with communication capability on the Tor network.

Is Zeus banking trojan dead? Absolutely no! Periodically security experts found new a variant that includes new features to make it more resilient and able to spread itself via social networks. Last variant was detected by researchers at Kaspersky Lab who discovered a 64-bit Zeus banking Trojan.

The instance detected using web injects to steal banking credentials, it is also able to steal digital certificates and implements a keystrokes feature.

The authors, following a recent trend, have also implemented a communication mechanism with C&C server over the Tor network to make hard for law enforcement and security firms its tracking.

The 64-bit version of Zeus banking trojan executes Tor component starting the svchost application in suspended mode and then injecting the Tor code into that process running it in stealth mode. Malicious traffic it that routed through TCP port 9050 and the stolen data are sent to the onion domain with address egzh3ktnywjwabxb[.]onion.

The Zeus banking trojan has maintained its way to steal user’s credentials, it still implements a classic man in the browser attack hooking into a user’s browser via a number of malicious Web injects that trigger when a victim accesses to its online banking account. Zeus banking trojan is able to capture the user’s credentials and sends them to the C&C server.

The 64-bit Zeus banking Trojan was expecting, but it is considered in advance, because less than 1% of IE users runs 64-bit OS version and anyway almost of them running 32-bit browsers.

“That’s because cybercriminals don’t actually need a 64-bit version. ZeuS is mostly intended to intercept data passing through browsers, and modify that data allowing the operator to steal information related to online banking, to wire transactions or to cover his tracks. But nowadays people still use 32-bit browsers – even on 64-bit operating systems. So, 32-bit versions of ZeuS have been sufficient to keep the thieves satisfied with their earnings.” states the blog post written by Dmitry Tarakanov

The researcher believes that the 64-bit Zeus banking Trojan is more a marketing action that a real need for cybercrime ecosystem.

“Support for 64-bit browsers—a great way to advertise the product and to lure buyers—the botnet herders.”

The 64 bit variant of the popular Zeus malware is anyway considerable as a natural evolution of the malicious agent that has accelerated since his code was publicly released in 2011.

“a pure 64-bit Zeus does finally exist, and we can conclude that a new milestone in the evolution of Zeus has been reached,” Tarakanov said.

Tarakanov revealed that the Kaspersky Lab team spotted the 64-bit Zeus sample in June and that the compile date of the source code was April 29th.

The new version of the Zeus banking trojan is able to trigger its execution after one program within a list of 100 predefined application is started.

“There are different types of programs, but all of them contain valuable private information that cybercriminals would love to steal—login credentials, certificates and so on,”  “So when operating inside these programs, Zeus is able to intercept and forward a lot of valuable information to the botnet operator.”

Another peculiarity of the malware is that it instantiates a hidden service that creates a configuration file for any victims that includes unique private key for the service and an exclusive domain, the feature allows the botmaster to control the architecture via Tor.

Zeus banking trojan and alive and is in excellent health!

Pierluigi Paganini

(Security Affairs –  Zeus Banking Trojan, malware)