Dubbed ZeusVM, this particular offshoot uses images as a decoy to retrieve its configuration file, a vital piece for its proper operation. As Malwarebytes researcher Jerome Segura explained, a victim could be looking at “a beautiful picture of a sunset and you would never guess that code used to steal money is hiding within this image.”
Interestingly, he pointed out that steganography itself is an old practice: in ancient Greece, secret instructions carved on wood were covered with wax where an innocent message would fool any outsider.
“In that regard, the bad guys aren’t really innovators per se, they are just applying old tricks to modern technology,” Segura wrote in a blog.
In this case, malevolent code is simply attached to an ordinary picture image. Segura said that then, when an infected user loads their banking website, the trojan starts acting as man-in-the-middle utility and can literally empty out a bank account in total discretion, safely hidden away in the image. And, the bank cannot tell these are illegal money transfers because the customer was properly authenticated into their system.
“Hiding malevolent code in such a way can successfully bypass signature-based intrusion detection systems or even antivirus software,” Segura noted. “From a webmaster point of view, images (especially ones that can be viewed) would appear harmless.”
To make identification more difficult, the appended data is encrypted with Base64, RC4 and XOR. Segura explained that to decode it, it’s possible to reverse the file with a debugger such as OllyDbg and grab the decryption routine – or, use the leaked Zeus source code to create one’s own module that will decompress the data blocks.
Overall, the variant is a good reminder that a file should not be considered safe simply because it appears to be a legitimate picture, song or movie, Segura concluded.
The new attack vector was uncovered originally by French security researcher Xylitol, who noted something strange in one of the malvertising campaigns that he had previously reported.
“The malware was retrieving a .jpeg image hosted on the same server as were other malware components,” Segura explained. “Over the next couple weeks, we exchanged a few more emails as he had discovered other samples exhibiting the same behavior. Curious about this new trick, I decided to study one of those pictures more closely to better understand what was going on.”