According to foreign media reports on January 6, hackers abuse the official website of Ukrainian accounting software developer Crystal Finance Millennium (CFM) to distribute malware and distribute new variants of Zeus Bank Trojans. Cisco Talos said the malware was acquired through a download program attached to spam and has a range of spreads.
The attack occurred before and after the holiday of Independence Day of Ukraine in August 2017, when Ukrainian authorities and enterprises received cyber-attacks alerts from the local security company ISSP. A domain name used to host the malicious software was related to the website of the Ukrainian accounting software developer CFM. Not only that, but the attacker also used the CFM website to spread the PSCrypt ransomware, which was malware targeted at Ukrainian users last year. Fortunately, this attack hacker did not compromise CFM’s update server and did not see the same level of access in earlier Nyetya protocols.
In this attack, the malware-loaded email contains a JavaScript archive that is used as a malware-download program. Once the file is opened, Javascript will be executed and cause the system to retrieve the malware’s playload. After running, the Zeus Bank Trojan virus will infect the system.
Cisco Talos Statistics: Affected by the new variant of Zeus Bank Trojan
Since the source code for Zeus Trojan 2.0.8.9 was leaked in 2011, other threat actors have been inspired by malicious code to incorporate it into several other bank trojans. Researchers found code reuse exists between the malware released this campaign and the leaked version of Zeus source code:
Once executed on the system, the malware performs a number of operations to determine if it is executing in a virtual sandbox environment. If the malware does not detect that it is running in a sandboxed environment, then it takes steps to make it persistent on the infected system. Malware even creates a registry entry on the infected system to ensure that malicious code is executed each time the infected device is restarted. Once the system is infected, malware tries to contact different C & C servers.
The researchers said most malware-infected systems are in Ukraine and the United States, with ISPs of PJSC Ukrtelecom, which are under the jurisdiction of the Ministry of Transport of Ukraine, the worst affected. Impact reached 3115 unique IP addresses, with 11,925,626 beacons showing the scale of the malware.
Researchers say more and more attackers are trying to abuse trusted software makers as a means of gaining a foothold in the target environment. In order to deploy more effective security controls to protect their network environment, attackers are constantly improving their methods of attack.
Source: IBTimes
