Threat Database Trojans Troj/Zbot-DSP


By Sumo3000 in Trojans

Threat Scorecard

Threat Level: 90 % (High)
Infected Computers: 7
First Seen: January 29, 2013
Last Seen: January 21, 2020
OS(es) Affected: Windows

Troj/Zbot-DSP is a variant of the infamous Citadel Trojan. The Troj/Zbot-DSP variant in particular has been targeting Canadian banks and retail points of sale in order to steal PIN numbers, credit card information, and other highly sensitive information. ESG security researchers have reported on the Citadel family of malware before. While, originally, Citadel was described as one more in the countless variants in the Zeus/Zbot group of malware, it has evolved into a very sophisticated malware infection designed to steal confidential information. Troj/Zbot-DSP represents a disturbing trend that PC security researchers have observed increasingly in attacks involving the Citadel malware, gathering high quality data rather than focusing on quantity in its attacks.

Why Troj/Zbot-DSP’s Focus on Quality Over Quantity is a Dangerous New Development

Most Citadel variants would use far reaching tactics to capture as many login credentials, confidential numbers and other data as possible. In fact, one of the problems faced by criminals was not to gather more information but to weed through the high volumes of data in order to isolate the data that can be used for attacks. Troj/Zbot-DSP is particularly dangerous because, rather than focusing on attacking as many computer users as possible, Troj/Zbot-DSP instead attempts to be more specific with its attacks in order to make its attacks more dangerous to the general public. By analyzing Troj/Zbot-DSP's configuration files, ESG security researchers have determined that Troj/Zbot-DSP is targeting specific financial institutions in Canada and focusing especially on companies that handle point of sale devices. This means that Troj/Zbot-DSP's attack is highly focused on obtaining credit card and debit card information from specific points of sale. The result? While the data gathered will be much less in number, the percentage of stolen data that is actually useful is much higher, giving attackers a rate of return that is vastly superior to other Zbot and Zeus variants.

Like most information stealers, Troj/Zbot-DSP uses three tactics that are quite common in these kinds of attacks:

  1. Capturing images from the infected computer's screen.
  2. Grabbing information entered into fields in online forms.
  3. Logging all keystrokes on the infected computer's keyboard.

The way Troj/Zbot-DSP captures screenshots in particular is highly interesting, grabbing a screenshot each time the victim clicks the mouse. Form data is stolen by intervening the victim's Web browser, and the keylogger associated with Troj/Zbot-DSP is a highly wised up piece of malware that can be configured to log keystrokes during specific moments in time.

SpyHunter Detects & Remove Troj/Zbot-DSP

File System Details

Troj/Zbot-DSP may create the following file(s):
# File Name MD5 Detections
1. 13.exe d2814ded0761709a9cafe5f3c780a774 3
2. a.exe cf54a73593a98cd7b3812ddffed6669e 0
3. emud.exe 976b2ccbd07f1ca8f9322f0438290460 0
4. a.exe 727d0d82d92b4a399e76a8b473c90616 0


Most Viewed