Bastard child of SpyEye/ZeuS merger appears online

Malware lovechild monst(e)r/demon


Updated Security researchers have got their hands on the first sample of code from the merger of the ZeuS and SpyEye cybercrime Trojan toolkits.

Posts on Russian underground forums last year suggested that Slavik/Monstr, the author of ZeuS, was "retiring"1 from cybercrime and handing over the ZeuS source code to Gribodemon/Harderman, the creator of SpyEye. ZeuS has long been the root cause of many instances of banking fraud, while SpyEye is a much newer and even more aggressive addition to the scene. Both Zeus and SpyEye are sold commercially as a means to create customised Trojans, typically designed to steal banking login credentials from compromised PCs.

The first fruits of the merged code, SpyEye builder version 1.3.05, illustrates the sophistication of these cybercrime toolkits, Trend Micro reports. The malware-building tool includes options to build-in web injects, screenshot captures as well as hooks for various optional add-ins. Core functionality also includes code designed to evade Trusteer Rapport transactions security software, a security application offered to customers of many banks as a defence against banking Trojans.

The latter feature shows that, once again, cybercrooks are attempting to up their game in response to developments by security defenders. Trusteer, which is yet to receive and examine samples of newest version of the SpyEye, issued a statement on Tuesday stating it was confident its defenses would hold firm.

We ran a complete test of Rapport against thousands of recent SpyEye and Zeus samples, including a few which were pointed out as possibly related to the SpyEye-Zeus merger. They all behaved just like standard SpyEye samples, all were handled properly by Rapport, and none adversely affected Rapport.

Rapport has several mechanism capable of reporting targeted attacks against its files. We haven't seen any newly suspicious activity from these mechanisms.

Optional plug-ins to the new version of SpyEye include the ability to present users of compromised machines with fake pages and improved attacks against Firefox users. "The basic SpyEye package only steals certificates from the cryptographic storage of Windows," writes Loucif Kharouni, a senior threat researcher at Trend Micro. "However, Firefox uses its own certificate storage folder, from which the ffcertgrabber plug-in grabs certificates."

The cybercrime toolkit also includes improved credit-card grabbing functionality, which works by "analysing the POST requests made by the user and checking these against the Luhn algorithm," Trend explains.

The CC grabber plug-ins and anti-rapport option are the main additions to this new and more polished version of SpyEye, which has already entered production. Trend Micro reports that two live servers are using the new version of the malware. ®

1 Several new versions of ZeuS have been released since Slavik supposedly quit last October, some of which have included new functionality. It is unclear who developed the improved code, but one possibility is that the code was put in place by Slavik who, far from having retired, is simply keeping a lower profile. Misdirection and misinformation, after all, are among the main tools of the cybercrime trade.

Similar topics

Broader topics

Narrower topics


Other stories you might like

  • Interpol anti-fraud operation busts call centers behind business email scams
    1,770 premises raided, 2,000 arrested, $50m seized

    Law enforcement agencies around the world have arrested about 2,000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe.

    In the latest action in the ongoing "First Light", an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1,770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes.

    Among the 2,000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4,000 bank accounts frozen and 3,000 suspects identified.

    Continue reading
  • Cloud services proving handy for cybercriminals, SANS Institute warns
    Flying horses, gonna pwn me away...

    RSA Conference Living off the land is so 2021. These days, cybercriminals are living off the cloud, according to Katie Nickels, director of intelligence for Red Canary and a SANS Certified Instructor.

    "It's not enough to pay attention to the operating systems, the endpoints, said Nickels, speaking on a SANS Institute panel about the most dangerous new attack techniques at RSA Conference. "Adversaries, a lot of their intrusions, are using cloud services of different types."  

    And yes, living off the land (or the cloud), in which intruders use legitimate software and cloud services to deploy malware or spy on corporations and other nefarious activities, isn't a new type of attack, Nickels admitted. "But what's new here is the levels to which using cloud services [for cyberattacks] has risen." 

    Continue reading
  • Microsoft seizes 41 domains tied to 'Iranian phishing ring'
    Windows giant gets court order to take over dot-coms and more

    Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

    The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

    "Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

    Continue reading

Biting the hand that feeds IT © 1998–2022