New variant of Zeus banking trojan concealed in JPG imagesFebruary 18, 2014 – 6:27 PM
A new variant of the nefarious Zeus banking trojan – dubbed ZeusVM – is concealed in JPG image files, according to the collaborative findings of Jerome Segura, senior security researcher with Malwarebytes, and French security researcher Xylitol.
The act is known as steganography – concealing messages or images in other messages or images.
In the case of ZeusVM, the malware’s code is hidden in unassuming JPG images, a Monday blog post by Segura revealed. These photos serve as misdirection for ZeusVM to retrieve its configuration file.
“The JPG contains the malware configuration file, which is essentially a list of scripts and financial institutions – but doesn’t need to be opened by the victim themselves,” Segura told SCMagazine.com in a Tuesday email correspondence. “In fact, the JPG itself has very little visibility to the user and is largely a cloaking technique to ensure it is undetected from a security software standpoint.”
Being infected by ZeusVM trojan allows for man-in-the-middle and man-in-the-browser attacks, Segura said, adding that visiting certain URLs, such as banking websites, will cause the trojan to respond and begin interacting in real-time.
This means attackers can obtain certain information by altering a login page using webinjects, or they could perform wire transfers while altering the victim’s account balance to make it seem like funds were never moved, Segura said.