Wicked hybrid of Zeus and Carberp malware unleashed to the wild

Researchers at Trusteer have discovered a new Trojan circulating online, which uses functions from both the Zeus and the Carberp families of malware.

In 2011, the source code for the Zeus Trojan was leaked to the public, and criminals have been using parts of it ever since. Last year, the Carberp source code was offered for sale online, and researchers speculated that it could be added to Zeus or other malware families due to its versatility.

“Since the source code of the Carberp Trojan was leaked to the public, we had a theory that it won’t take cyber criminals too long to combine the Carberp source code with the Zeus code and create an evil monster,” explained Trusteer’s Martin G. Korman and Tal Darsan, in a statement.

“It was only a theory, but a few weeks ago we found samples of the ‘Andromeda’ botnet that were downloading the hybrid beast.”

This “hybrid beast” as it’s being called, is a variant of ZeusVM, which itself is a variant of Zeus discovered earlier this year. ZeusVM is a notable advancement to Zeus, as the malware’s authors use steganography as a means of hiding configuration data within images.

The connection between ZeusVM and the hybrid Zeus / Carberp Trojan, called Zberp by Trusteer, is the same use of steganography to hide configurations. The technique is useful for avoiding detection, and the attacks observed by Trusteer have used an Apple logo to transmit updates between infected hosts.

Zberp combines a range of features that originated from the Zeus and Carberp families, including information gathering (IP address and host name); capturing screenshots and uploading them to a remote server; FTP and POP3 credential harvesting; harvesting information entered into Web forms; the ability to hijack browsing sessions and insert rogue content; and initiate remote desktop connections via VNC or RDP.

In addition to the shared functionality, Zberp also uses some of the same evasion techniques that are found in both Zeus and Carberp. This includes the “invisible persistence” feature that’s found within ZeusVM.

“…the malware deletes its persistence key from the registry during the Windows startup process to prevent security solutions from detecting it during normal system scans that take place after the system boots. To ensure persistency, however, the malware rewrites the persistence key back to the registry during system shutdown,” Trusteer’s researchers said, explaining the invisible persistence function.

As with the previous versions of Zeus and Carberp, this hybrid creation targets more than 450 financial firms in the U.S., U.K. and Australia – though Trusteer didn’t identify those firms directly.

In the past, criminals have focused on financial targets that are relevant to the regions where the victim’s lived, increasing their odds of success. Additional information is available from Trusteer.