Resurgence of Zeus

News + Malware + Botnet + Threat Intelligence Mjolnir Security todayAugust 3, 2019 42

Background
share close

Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on various versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing.

In a blog post published by Cisco Talos Intelligence on Nov 2 2017, they talk about an interesting new find.

While it has become common for users to just google to learn about anything they do not know. In a quick google search, you can find just about anything. However, search results returned are not guaranteed to be safe. In such a situation, these threat actors have decided to take advantage of this behavior by using what is popularly known as Black Hat Search Engine Optimization techniques to make their malicious links more prevalent in the search results, enabling them to target users with the Zeus banking Trojan. By poisoning the search results for specific banking related keywords, the attackers were able to effectively target specific users in a novel fashion.

By targeting primarily financial-related keyword searches and ensuring that their malicious results are displayed, the attacker can attempt to maximize the conversion rate of their infections as they can be confident that infected users will be regularly using various financial platforms and thus will enable the attacker to quickly obtain credentials, banking and credit card information, etc.

In the course of an Incident Response investigation we did for a client recently, we found active Zeus C&C connection requests going to their infrastructure. Over the past 30 days, they had over 45k connections with 15k of them in the last 5 days alone.

We have built an active tracker to show counts as well as CnC address live for the for the last 7days as we continue to investigate. And the header image shows the infections we have seen till date.

We will keep updating as we learn more.

Reference: http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html

Infected domains here: https://github.com/securitywarrior/indicators-of-compromise/blob/master/zeus-ioc-June2018-Sep2018.csv

Written by: Mjolnir Security

Tagged as: , , , .

Previous post

Similar posts

News Mjolnir Security / March 27, 2023

Learning from the Past: Top 10 Data Breaches in the Last 10 Years and How Mjolnir Security Can Help

Introduction Cybersecurity has never been more critical in our increasingly digital world. As technology advances, cybercriminals are finding new ways to exploit vulnerabilities and access sensitive information. In the past five years, we’ve witnessed some of the most significant and damaging data breaches in history. By examining these incidents, we can learn valuable lessons about ...

Read more trending_flat

News Mjolnir Security / March 24, 2023

Mjolnir Security’s eDiscovery Service: Discover, Analyze, and Protect Sensitive Data

Introduction Mjolnir Security is proud to present its state-of-the-art eDiscovery service, designed to provide comprehensive support to clients in the realms of Digital Forensics, data protection, and regulatory compliance. Our eDiscovery service is specifically tailored to help clients identify, analyze, and manage Personally Identifiable Information (PII), Protected Health Information (PHI), Personal Financial Information (PFI), and ...

Read more trending_flat