Tweet

Trend Micro advanced threat researchers recently came across a new ZBOT/ZeuS binary file detected as TROJ_ZBOT.BTM.

ZBOT/ZeuS variants are well-known for stealing banking information from its victims via various social engineering tactics (e.g., spammed messages, malicious links sent to social networking site members in the guise of messages, and compromised legitimate sites), as evidenced by the following documented noteworthy occurrences:

• Phishing in the Guise of Enhancing Security
• ZBOT Targets Facebook Again
• Several Compromised Thai Sites Serve Malware

Apart from the usual information-stealing tactics ZBOT/ZeuS Trojans are known for, however, this new variant came with a hidden message that thanks and taunts some well-known antivirus companies for the help they provide the cybercriminals behind the malware to constantly improve on their craft. The said message, however, will only be visible after the binary file (version 1.3.3.3) unpacks and copies itself onto affected systems’ memory.

This taunting message shows that cybercriminals have systems that monitor the performance of antivirus companies in detecting their craft and they are constantly updating their software to avoid detection.

Trend Micro™ Smart Protection Network™ already protects product users from this threat by blocking access to the malicious site, http://{BLOCKED}p.com/consc/cons.exe, where the binary file could be downloaded via the Web reputation service and by detecting and preventing the file’s execution on affected systems via its file reputation service.

Non-Trend Micro product users, on the other hand, can also stay protected by using free tools like Web Protection Add-On, which was especially designed to block user access to potentially malicious websites in real-time.