A downloaded ZBOT configuration file contains a list of target websites. It also specifies how these targets will be modified. In some cases, Web forms are added for users to fill in. Here’s a screenshot of part of a targeted bank’s website:
Here is the modified version. Note the added field, Clavo de Operaciones, which refers to another security key:
The latter version has been extensively modified with the addition of a script that was not present in the original version:
This script performs the actual information theft, capturing any entered credential. It prompts the user to fill in the inserted Web form field if left blank/empty.
This second password is used by institutional accounts that have different levels of user privileges. The bank’s website will ask for this second password if transactions involve money (such as paying bills, transferring funds, etc.) are made by the user. Clearly, this is something that cybercriminals would like to steal.
Added fields in forms are not the only tactic used. In other cases, a fake secondary login page asking for the second password is displayed instead:
The goal here is similar to the first instance wherein secondary passwords needed to complete financial transactions are stolen.
In addition to detecting the ZBOT files themselves, Trend Micro products now also detect the scripts inserted into Web pages as JS_ZBOT.SM and JS_ZBOT.CNX. A white paper detailing the activities of the ZeuS/ZBOT botnet is also available here.
Additional information provided by Advanced Threats Researcher Ranieri Romera.