New variant of Zeus banking trojan concealed in JPG images

February 18, 2014 – 6:27 PM

A new variant of the nefarious Zeus banking trojan – dubbed ZeusVM – is concealed in JPG image files, according to the collaborative findings of Jerome Segura, senior security researcher with Malwarebytes, and French security researcher Xylitol.

The act is known as steganography – concealing messages or images in other messages or images.

In the case of ZeusVM, the malware’s code is hidden in unassuming JPG images, a Monday blog post by Segura revealed. These photos serve as misdirection for ZeusVM to retrieve its configuration file.

“The JPG contains the malware configuration file, which is essentially a list of scripts and financial institutions – but doesn’t need to be opened by the victim themselves,” Segura told in a Tuesday email correspondence. “In fact, the JPG itself has very little visibility to the user and is largely a cloaking technique to ensure it is undetected from a security software standpoint.”

Being infected by ZeusVM trojan allows for man-in-the-middle and man-in-the-browser attacks, Segura said, adding that visiting certain URLs, such as banking websites, will cause the trojan to respond and begin interacting in real-time.

This means attackers can obtain certain information by altering a login page using webinjects, or they could perform wire transfers while altering the victim’s account balance to make it seem like funds were never moved, Segura said.


You must be logged in to post a comment.