In the fall of 2014, we discovered a new banking Trojan, which caught our attention for two reasons:
- First, it is interesting from the technical viewpoint, because it uses a new technique for loading modules.
- Second, an analysis of its configuration files has shown that the malware targets a large number of online-banking systems: over 150 different banks and 20 payment systems in 15 countries. Banks in the UK, Spain, the US, Russia, Japan and Italy make up the majority of its potential targets.
Kaspersky Lab products detect the new banking malware as Trojan-Banker.Win32.Chthonic.
The Trojan is apparently an evolution of ZeusVM, although it has undergone a number of significant changes. Chthonic uses the same encryptor as Andromeda bots, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.
Infection
We have seen several techniques used to infect victim machines with Trojan-Banker.Win32.Chthonic:
- sending emails containing exploits;
- downloading the malware to victim machines using the Andromeda bot (Backdoor.Win32.Androm in Kaspersky Lab classification).
When sending messages containing an exploit, cybercriminals attached a specially crafted RTF document, designed to exploit the CVE-2014-1761 vulnerability in Microsoft Office products. The file has a .DOC extension to make it look less suspicious.
