Today, Trend Micro threat researchers ran across a new ZBOT variant mainly targeting four European countries’ banking systems in Italy, England, Germany, and France.
Trend Micro detects this variant as TSPY_ZBOT.AZX. It targets major consumer European Banks and financial institutions with high-profile clientele. The targeted companies include the major UniCredit Group Subsidiary Bank of Rome; U.K.-based Abbey National (more commonly known as Abbey); Hong Kong’s HSBC; Germany’s leading IT service provider in the cooperative financial system, the FIDUCIA Group; and one of France’s largest retail banks, Crédit Mutuel.
“At this point, we do have the data that show that these banks are indeed being currently targeted. We are including some names of the banks here to make people aware,” says advanced threats researcher Ivan Macalintal.
ZBOT is a crimeware phenomena created using a toolkit. The ZeuS toolkit enables cybercriminals to create and customize their own remote-controlled malware. The infected machine then becomes part of the criminal ZeuS botnet. ZBOT variants are information stealers specializing in robbing online banking information from victims and sending back the information to its command-and-control (C&C) server.
At its most basic level, ZeuS has always been known for engaging in criminal activities, as it signals a new wave of online criminal business enterprises wherein different organizations can cooperate with one another to perpetrate outright online theft and fraud. Read up more on this malware in our white paper, “Zeus: A Persistent Criminal Enterprise.”
The domains used by TSPY_ZBOT.AZX are both hosted on the same server, which is located in Serbia under a registered name. The IP address used and its registered name are both well-known for being part of FAKEAV-hosting domains and previous Canadian pharmacy spam campaigns.
Trend Micro protects users from this attack via the Smart Protection Network™, which blocks user access to all malicious URLs via the Web reputation service and detects all related malware via the file reputation service. Not a Trend Micro user? We also offer free system checks with HouseCall, which identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems. You may also use RUBotted to find out if your machine is already part of a botnet.