Jerome Segura, a senior security researcher of MalwareByte says that “A new Variant of Zeus Banking Trojan (ZesusVM) has been found in JPEG (Joint Photographic Experts Group) image file. This act of concealing images or messages in other messages or images is known as Steganography”.
In the case of ZeusVM the code is hidden in the JPEG Images steganographically. The trojan ZeusVm than uses this retrieve its configuration files and perpetrate.
Jerome Segura further explains that”The JPEG contains the Malware configuration file, which is essentially a list of scripts and financial institutions – but doesn’t need to be opened by the victim themselves. The JPEG itself has very little visibility to the user and is largely a cloaking technique to ensure it is undetected from a security software standpoint”.
ZeusVm Trojan allows man-in-the-middle attack in which attacker can not be traced easily. An attacker can obtain sensitive information by altering a Login page using WebInjects. Segura says that Visiting Banking related websites may activate the ZeusVM .
Segura Furthur explains that ZeusVm Trojan is executable, and copies itself deep within the computer like other replicating Viruses, ZeusVM can also easily communicate with the command-and-server when it finds network and it can also reactivate (auto restart) itself when computer reboots.
This Malware can be distributed in many ways but the spread is majorly through phishing emails or web based attacks. This Malware can also be spread via Malvertising, which involves websites hosting ads that spread Malware. Malvertising is the best method for spreading such Malwares because in case of websites, the malware gets ready made host which is always online. The moment the malware injects itself into the advertising, it can go viral by the amount of clicks it generates. The malvertising ads can then spread Malware through the internet traffic which the hacker/attacker may obtain through ethical means (search engines) or through illicit means (phishing mails/spam links/spam comments).
Segura has started more research on into this Trojan and to show the difference between the original image and the Steganographed image. In a Blog post he showed two images which looked exactly same but when he showed his result of viewing the images in Bitmap mode and in a hexadecimal viewer the difference of both images was clearly visible.
Segura wrote in the post that to make identification more difficult the appended data is encrypted with Base64, RC4. To decode you can reverse the file with a debugger such as OllyDbg and grab description Routine.
