Banking Trojan based on Zeus malare found in the wild

Trojan injects fake forms into web pages to persuade infected users to spill credentials and financial information

A new banking Trojan based on the source code from the Zeus malware has been uncovered in the wild.

The Trojan, according to security software company Dr Web, who claim to have found it, tries to induce infected PC users to spill their credentials by performing ‘web injects'. That is to say, the Trojan injects arbitrary content into all web pages browsed by the user, such as fake forms.

"Users don't usually notice the replacement because the resource's URL and design look the same, and the fake form or text is added to the page right on the infected computer," warns Dr Web.

It continues: "Banking Trojans can affect customers of many credit organizations because the Trojans get the web inject information directly from a command and control (C&C) server. If a user logs into a website whose address has already been added to the Trojan's configuration, Trojan.PWS.Sphinx.2 injects the content prepared by the cybercriminals.

Once launched, it injects itself into the Explorer (explorer.exe) running process and decrypts the loader body and the configuration file in which the C&C server's address and encryption key are hidden.

The Trojan has a modular architecture, downloading plug-ins from the controllers' command-and-control server. "Two of these modules are designed to perform web injects on 32- and 64-bit versions of Windows, and the other two are for running a VNC server the cybercriminals can use to connect to an infected computer," warns Dr Web.

It also downloads and saves a set of utilities for installing a root digital certificate on the infected PC so that it can be used to carry out man-in-the-middle attacks. It also comes bundled with a keystroke logger.

"Worth highlighting is the unique way in which the Trojan automatically launches itself on an infected machine: Trojan.PWS.Sphinx.2 uses a PHP script and a PHP interpreter.

"The script is executed via a shortcut and placed in the autorun folder by the Trojan. All the information required for the Trojan's operation is encrypted and stored in the Windows system registry. Modules are saved to a separate file with a random extension, which is also encrypted," advises Dr Web.

Email-borne threats have exploded in the last year, thanks to the ease with which cyber-criminals can directly make money from infected PCs. While today's cyber criminals prefer extortion via ransomware, banking Trojans remain a threat.

According to Dr Web's larger Russian rival Kaspersky, about three-quarters of ransomware is the work of Russian or native Russian-speaking criminal gangs.