Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Jennifer Gumban (Threat Response Engineer)

    It’s been said that a picture is worth a thousand words. Unfortunately, there’s one that’s worth your bank accounts. We came across malware that uses steganography to hide configuration files within images. However unique this technique might seem, it is hardly new—we previously featured targeted attacks that use the same technique.

    The ZBOT malware, detected as TSPY_ZBOT.TFZAH, downloads a JPEG file into the affected system without the user’s knowledge. The user does not even see this particular image, but if someone did happen to see it it would look like an ordinary photo. We encountered an image of a sunset, but other security researchers reported encountering a cat image. (This particular photo appears to have been lifted from popular photo-sharing sites, as it appears in these sites if you search for sunset.)

    Using steganography, a list of banks and financial institutions that will be monitored is hidden inside the image. The list includes institutions from across the globe, particularly in Europe and the Middle East. Once the user visits any of the listed sites, the malware will proceed to steal information such as user credentials.

    Figure 1. Image appended with the list of targeted institutions

    This particular attack has another unusual routine: it downloads onto the system other malware, namely TROJ_FOIDAN.AX. This Trojan removes the X-Frames-Options HTTP header from sites the user visits, allowing websites to be displayed inside a frame. Webmasters use this setting to ensure their sites are not used in clickjacking attacks.

    ZBOT has not traditionally been linked to clickjacking in the past. However, it has been linked to other threats, such as ransomware and file infectors.

    The use of steganography, along with the inclusion of clickjacking-related malware, shows that established malware threats are still expanding their techniques and routines.

    With additional insights from Mark Manahan.

    Update as of 7:00PM PST, March 6, 2014

    The hashes of the malicious files related to this attack are as follows:

    • 3e545d7776064f22e572e92b9c0a236280459917
    • bf3052fd93ba6c80ede96ed7c03a6c03235e6235
    • ebdb802aa5e274d76252d65841100a1a021408d9


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice