CyberCrimeSecuritySecurity ManagementVirus

Zeus Banking Trojan Returns To Snatch Passwords And Credentials

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Follow on:

The trojan used web injection to sneakily snatch credentials imputed into fake forms

A banking trojan based on the source code of the infamous Zeus malware has been discovered by cyber security specialists Dr Web.

Dubbed Trojan.PWS.Sphinx.2, the trojan’s main purpose it to inject malicious content into webpages, for example a fake form for inputting login and password details in order for cyber criminals to secretly harvest useful credentials for people browsing the web.

The main targets of the Trojan.PWS.Sphinx.2 appear to be websites providing banking services and credit services, where there is value in the data that can be snatched by cyber crooks.

Zeus 2.0

Zeus Trojan Monitor“Once launched, Trojan.PWS.Sphinx.2 injects itself into the Explorer (explorer.exe) running process and decrypts the loader body and the configuration file in which the C&C server’s address and encryption key are hidden,” said DR Web’s threat post.

“Trojan.PWS.Sphinx.2 has a modular architecture: it requests additional plug-ins from the cybercriminals’ server. Two of these modules are designed to perform web injects on 32- and 64-bit versions of Windows, and the other two are for running a VNC server the cybercriminals can use to connect to an infected computer.

“In addition, Trojan.PWS.Sphinx.2 downloads and saves on the infected computer a set of utilities for installing a root digital certificate that can be used by cybercriminals to carry out MITM (man-in-the-middle) attacks. Moreover, the Trojan has a grabber—a module that intercepts data entered by the user into various forms and then sends it to the cybercriminals.”

Through the use of PHP script and a PHP interpreter the Trojan.PWS.Sphinx.2 can automatically launch itself on an infected computer and put script into the system’s autorun folder. Information for the trojan’s operation is encrypted and stored in the Windows system registry while the module it uses are saved to a separate file with a random extension, also encrypted, which could prove challenging to natively detecting the malicious code.

There seems ot be a disturbing amount of malware making a come back of late, including the Moke malware which managed to make the jump from Windows and Linux machines to Mac OS X, and the rise of Xagent which also worked to target Apple’s Macs.

How much do you know about hackers? Take our quiz!