Websense Security Labs announced that they have identified a recently evolved strain of Zeus malware, often used to steal banking information.
The company reports the Websense ThreatSeeker Intelligence Cloud has been tracking a malicious, low-volume email campaign over past months, using social engineering tricks to spread the “evolving breed of the Zeus banking malware.”
Websense has observed that, as with previous variants, Zeus PIF uses a dropper that relies on the hidden Windows “PIF” file extension executable — a technique used years ago that now appears to be making a comeback.
A Websense blog explains what is new about this variant, “Specifically, the Zeus variants spotted in the campaign have been seen to persistently evolve and adapt their methods to implement information stealing procedures (a.k.a., ‘hooking procedures’) that are a direct evolution of a previous variant dubbed ‘Zberp.’ This trend indicates a clear persistent effort to evade detection from client-side security software.”
The Websense blog post also includes email examples that are a part of the campaign, as well as how those behind the campaign might have modified Zeus’ hooking routines persistently and employed other tactics to evade detection.