ZeuS or Zbot Trojan has been rated as a very dangerous financial malware. Zbot steals critical system information, sensitive banking details, and online credentials. Since 2011, when the source code of the ZeuS malware was leaked, many versions of the ZeuS have been developed and used for numerous cyber attacks.
In the latest wave of attacks, the banking Trojan has been combined with the Terdot Zloader downloader for Man-in-the-Middle (MITM) attacks against browsers for modifying web content and also spying on users.
The initial infection of a device/system takes place when a malicious email attachment drops the Terdot Zloader/Zbot. This combination had been distributed through the exploit kit named as “SundownEK”. The exploit injects a downloader that compromises the Windows Program Manager. This downloader then establishes communication with a command and control (C&C) server and downloads a DLL-based bot component that infects the browsers and the Windows Installer program. Typically, communication takes place between the websites and the browser through TCP sockets. This is a legitimate certificate application, that is abused by the Terdot Zloader/Zbot malware to infect the system and unleash a Man-in-the-Browser attack (which is a form of an MITM attack).
The Zbot banking trojan spies on users and is also capable of modifying web content through the browsers. This malware is considered to be the most dangerous of financial malware seen till now. In the deadly 2017 attack, it had inbuilt code targeting banking and financial websites such as PayPal and HSBC.
This malware displays webfakes that fool the website visitor into believing that the website is genuine. And that is not all. This malware also conducts a “fileless” malware attack. It downloads a genuine Microsoft “certutil” program that can generate and also install fraudulent security certificates. This dupes website visitors into making them believe that the connection between the website and the browser is secure.
When a user tries to visit a financial website over HTTPS, it will display certificates – but they will not be the genuine certificates – they will be the fraudulent certificates. The dangerous part is that the fraudulent certificate will list a legitimate domain; but, the certificate issuer will not be legitimate or will not exist at all. While earlier it had been easy to view the SSL certificate details and issuer now, some browsers seem to have made them very difficult for the average user.
The Terdot Zloader/Zbot is a very dangerous malware, and there is no doubt about it. The complete source code for the Zeus crimeware kit is available on numerous underground forums. This has allowed cyber criminals to make them more potent with more threatening capabilities to launch various types of MITM attacks.