As an addition to the information related to a new ZeuS variant published once again by Trusteer researchers, we would like to point that this botnet has been active since at least December 2013 and it does not show any feature that would have been observed before.
In fact, it is a slightly modified ZeuS version which incorporates features seen previously in other variants like the Virtual Machine present on KINS or the usage of AES-128 as cipher algorithm for the config which, in fact, in latest versions (those numbered as 4.6.X.X) was reverted to the original ZeuS RC4 algorithm with the peculiarity that, the seed, has been replaced by an AES key.
In regard to the activity of the related botnet it has been steadily declining since we began to monitor it:
As for its affectation, far from being focused in Canadian entities, its main targets are: USA, Spain and UK companies:
In conclusion, this is just one of the many variants of ZeuS already known to us.
Finally, some hashes from two of the different variants distributed by this botnet:
- 0179c28d71902967b1ba46d3c5b10840 v188.8.131.52
- 5b6568992e08028aff46fb6bf8e7519d v184.108.40.206