Skip to main content
Customer Support Customer Support

Chthonic: a New Modification of ZeuS

  • December 18, 2014
  • 1 reply
  • 7 views
Jasper_The_Rasper
Moderator
Forum|alt.badge.img+54
By Yury Namestnikov, Vladimir Kuskov, Oleg Kupreev on December 18, 2014
 
In the fall of 2014, we discovered a new banking Trojan, which caught our attention for two reasons:
  • First, it is interesting from the technical viewpoint, because it uses a new technique for loading modules.
  • Second, an analysis of its configuration files has shown that the malware targets a large number of online-banking systems: over 150 different banks and 20 payment systems in 15 countries. Banks in the UK, Spain, the US, Russia, Japan and Italy make up the majority of its potential targets.
Kaspersky Lab products detect the new banking malware as Trojan-Banker.Win32.Chthonic.
The Trojan is apparently an evolution of ZeusVM, although it has undergone a number of significant changes. Chthonic uses the same encryptor as Andromeda bots, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.
 
Full Article

    1 reply

    R
    Community Guide
    • retiredAntus67
    • Community Guide
    • 5988 replies
    • December 20, 2014
    The following article is a update:

    Chthonic Trojan Targets Online Banking Systems in 15 Countries

    By Eduard Kovacs on December 19, 2014
     
    A new banking Trojan that appears to be an evolved version of the notorious Zeus has been analyzed by researchers at Kaspersky Lab.
    According to the security firm, the threat, dubbed Chthonic, borrows some techniques from other pieces of malware, but it also uses some new mechanisms. Detected by Kaspersky asTrojan-Banker.Win32.Chthonic, the Trojan has been used to target a large number of financial organizations in several countries.
    Cybercriminals have been distributing Chthonic with the aid of emails carrying malicious documents, and by directly downloading the threat to victim devices using the Andromeda bot. It's worth noting that the Trojan uses the same encryptor as Andromeda.
    In the first phase of the attack, a Trojan downloader, which is based on Andromeda source code, is planted on the victim machine. The downloader contains a configuration file that is encrypted using techniques previously seen at KINS and ZeusVM.
     
    full article
     

    Reply


    Terms & Conditions