Threat Database Trojans HPmal/Zbot-C


By Domesticus in Trojans

Threat Scorecard

Threat Level: 90 % (High)
Infected Computers: 2
First Seen: January 29, 2013
Last Seen: November 1, 2021
OS(es) Affected: Windows

HPmal/Zbot-C is a variation of Zbot Trojan that attacks financial institutions based in Canada incorporating a company that processes payments from Point Of Sale devices and credit and debit cards by stealing information. HPmal/Zbot-C will collect login credentials added into forms and embed a code into the websites so that attacked PC users give more information such as answers to secret questions, PIN numbers and mother's maiden name. HPmal/Zbot-C hacks the screen, grabs form field and logs keystrokes to receive information on the targeted computer system. A screenshot is taken each time the PC owner clicks the left mouse button while surfing the payment processing website.

Each screen capture is concetrated on the mouse button and is sent back to the botnet owner. Form data is also collected and sent back, covering usernames and passwords. The configuration files of HPmal/Zbot-C also cover a section called 'Keylogger processes' that provides a list of processes from which key strokes will be logged. Every time the attacked computer owner enters usernames, passwords and card details into one of the software products all the keystrokes will be sent back to the botnet owner. Together with software products used for remote access including SCP, Putty, GotoMyPC, VNC, and PCAnywhere, there are process names including '*pos*', '*store*', '*sales*' and '*merchant*' that are possibly related to processing payment card data. HPmal/Zbot-C also corrupts financial software products such as Quickbooks and Sage.


Most Viewed