SophosLabs: Techniques from APTs showing up in money-making Zbot/Zeus malware

Credit-card-targetedMalware targeting financial accounts is increasingly borrowing techniques formerly seen only in targeted attacks designed for espionage and intelligence gathering, according to new research from SophosLabs.

These techniques, including the use of booby-trapped Word documents, had been telltale signs of so-called advanced persistent threats (APTs). But our research shows that cybercriminals behind financial malware such as Zbot (Zeus) are now borrowing the same attack methods to spread money-making malware.

Many of the document-based APT attacks seen by SophosLabs in the past year were executed by malware under the family name PlugX. We saw PlugX malware in attacks aimed at users in Japan late last year, for example. But in recent months, SophosLabs is seeing a much higher number of document-based attacks containing Zbot (also called Zeus).

According to SophosLabs threat researcher Gabor Szappanos, who has been following the development of document-based APTs for the past year, about 33% of all APT-style document-based attacks in January and February of this year contained malware from the Zbot family.

Zbot is a widespread malware family that is designed primarily to steal banking data, including usernames, passwords and the one-time access codes used in two-factor authentication. Zbot also frequently deploys ransomware like Cryptolocker to make money for its masters.

What does this all mean? As Gabor reports, it means the cybercriminals behind Zbot have seen the potential to use APT techniques to make more money, and they are rapidly borrowing these techniques to spread their malware to more victims.

“Exploited documents, once used almost exclusively from players in the APT scene, are now used routinely in the sort of malware that is distributed widely by money-seeking cybercriminals,” Gabor writes at Naked Security.

According to SophosLabs, the vast majority of the APTs we have seen in the past two months seek to exploit just a handful of vulnerabilities in Microsoft Office from 2010 and 2012.

Find out more about APTs

Read the SophosLabs article including three security tips.

Read the blog post at Naked Security by Paul Ducklin for his take on APTs.

Read the Sophos Blog post about how Sophos UTM protects you against APTs with the Advanced Threat Protection feature available in Sophos UTM Accelerated (9.2).

Free whitepaper: APTs explained

If you want to find out more about how APTs work and what you can do to protect yourself against them, download our free whitepaper (you will have to register).

5 thoughts on “SophosLabs: Techniques from APTs showing up in money-making Zbot/Zeus malware

  1. Pingback: Sophos in the news: UTM Accelerated 9.2, APTs, and the NSA’s blurred lines | Sophos Blog

  2. Pingback: How malware works: Anatomy of a drive-by download web attack (Infographic) | Sophos Blog

  3. Pingback: Sophos in the news: Microsoft Word zero day, email privacy, and data encryption | Sophos Blog

  4. Pingback: The next generation of the PlugX APT – new SophosLabs research | Sophos Blog

  5. Pingback: SophosLabs research uncovers new developments in PlugX APT malware | Sophos Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s