A better, stronger version of a widely used trojan has surfaced, and it seems to have Canadian users in its sights. The latest variant of ZeuS, a widely used trojan, is specifically targeting Canadian financial institutions, seeking to gather the financial information of Canadian citizens. The new variant has been nicknamed “Maple” to reflect its targets of choice.
As reported in SC Magazine, Trusteer, an IBM company, says that criminals have deployed the trojan to attack 14 leading financial institutions in Canada with the malware since January.
Maple is nothing if not resilient. It’s new capabilities include “re-patching,” which restores web-injection functionality in order to steal financial data from web browser sessions – even after the malware has been detected by security programs. It also has anti-debugging features that employ a packer written in Visual Basic, which is “notoriously complex to debug,” according to a blog posting by Dana Tamir, Trusteer’s director of enterprise security.
“In addition, to prevent malware researchers from debugging the malware, ZeuS.Maple checks the value of two known Windows flags: PEB!IsDebuggedFlag and PEB!NtGlobalFlags,” Tamir wrote. “The code section that checks the flag value seems to be absent at first glance, but ZeuS.Maple unpacks this code section right before it uses it.”.
If the two Windows flags aren’t raised users can’t get into debug mode, Tamir said. “You have to crack that in order to get into a mode that allows you to research the malware. They are putting in hurdles specifically designed to keep malware researchers from looking at what the malware is actually doing.”
Maple also encrypts its malware configuration (which is stored in the Windows Registry) with the AES-128 encryption spec, and attempts to make the malicious executable appear legitimate to security scanners by obscuring it in a new Windows installation path.
“The ZeuS.Maple variant provides an interesting example of new and improved methods used by malware developers to bypass automated security controls as well as human malware researchers,” Tamir wrote in her blog post.”We expect this trend to continue as we find more sophisticated, stealthy variants of Zeus targeting specific geographical regions.”
Trusteer didn’t look at how Maple was being spread to Windows users, but two likely avenues are drive-by download or phishing emails.
In addition to harvesting financial data – the purpose for which the malware was originally developed – ZeuS has added other capabilities over the years, including the ability to deliver distributed denial-of-service (DDoS) attacks, cryptocurrency mining and the delivery of email spam.