Cybercriminals Sign ZeuS Banking Trojan with Valid Digital Certificate

ZeuS malware signed with valid digital certificate

Security researchers from Comodo have identified a new version of the notorious banking Trojan known as ZeuS. The variant analyzed by experts is signed with a valid digital certificate, which makes the threat more difficult to detect and remove.

More than 200 of Comodo’s customers have been targeted with this threat. Cybercriminals are distributing the malware with the aid of spam emails, or via exploits planted on malicious or compromised websites.

In the first phase of the attack, the downloader is distributed. Once this component finds itself on a device, it downloads a rootkit, which ensures the threat’s persistence, and the malware component.

The malware component is typical for ZeuS. It launches man-in-the-middle attacks to steal sensitive information, particularly financial data. The rootkit is designed to hide the malware and make it more difficult to remove.

When it’s pushed onto a device, the Trojan looks like an innocent Internet Explorer file. This file is signed with a digital certificate apparently stolen from Swiss software company isonet.

The rootkit components are downloaded from two different domains. The rootkit is installed within Boot Bus Extender to ensure that it’s loaded before other drivers when the computer boots up.

Additional technical details on this new ZeuS variant are available on Comodo’s blog.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s