Security experts are warning that one of the most prolific and notorious malware campaigns so far may be coming back for another pass. At the end of 2019, Proofpoint researchers spotted email campaigns with the latest version of the infamous Zeus banking malware. In 2020, the company spotted over a hundred such campaigns with targets in Australia, Canada, Germany, Poland, and the United States.
Zeus appeared in 2006 for the first time, being used to steal credentials and information through web injects. The malware was used to target financial institutions across the board. It may also steal browser-stored passwords and cookies. It uses the Virtual Network Computing (VNC) client to make illegal transfers of money from the user's device.
The Zloader/Sphinx Malware
Proofpoint noted that much like the original, Zloader (aka Sphinx) uses a data structure called 'BaseConfig' to store the initial configuration. It is also capable of deploying anti-analysis measures to stop researchers from reverse engineering and to detect its presence. That includes encrypted strings, junk code, C&C blacklisting, repetitive obfuscation, and Windows API function hashing.
The campaign made use of lures such as warning of Coronavirus scams or claiming to provide information about testing and treatment centers. The emails contain Word files or password-protected Excel files with sheets laced with macros downloading and executing Zloader.
Since 2006, there have been 25 versions of the malware, but the most recent one happens to be a variant of one of the older versions. According to researchers, the Zeus banking malware descendants of its code have been widely used in cybercrimes since that year.
About two years after Zloader's last seen activity in 2018, Proofpoint spotted campaigns that shared functionality and network traffic with the original Zloader in the 2016-2018 campaigns. Their analysis showed that the new strain was missing the string encryption, code obfuscation, and some of the more advanced features seen in the original malware. This new malware strain doesn't appear to be a direct continuation of the latest version of Zloader from 2018, but rather one derived from an earlier version.