Malware targeting financial accounts is increasingly borrowing techniques formerly seen only in targeted attacks designed for espionage and intelligence gathering, according to new research from SophosLabs.
These techniques, including the use of booby-trapped Word documents, had been telltale signs of so-called advanced persistent threats (APTs). But our research shows that cybercriminals behind financial malware such as Zbot (Zeus) are now borrowing the same attack methods to spread money-making malware.
Many of the document-based APT attacks seen by SophosLabs in the past year were executed by malware under the family name PlugX. We saw PlugX malware in attacks aimed at users in Japan late last year, for example. But in recent months, SophosLabs is seeing a much higher number of document-based attacks containing Zbot (also called Zeus).
According to SophosLabs threat researcher Gabor Szappanos, who has been following the development of document-based APTs for the past year, about 33% of all APT-style document-based attacks in January and February of this year contained malware from the Zbot family.
Zbot is a widespread malware family that is designed primarily to steal banking data, including usernames, passwords and the one-time access codes used in two-factor authentication. Zbot also frequently deploys ransomware like Cryptolocker to make money for its masters.
What does this all mean? As Gabor reports, it means the cybercriminals behind Zbot have seen the potential to use APT techniques to make more money, and they are rapidly borrowing these techniques to spread their malware to more victims.
“Exploited documents, once used almost exclusively from players in the APT scene, are now used routinely in the sort of malware that is distributed widely by money-seeking cybercriminals,” Gabor writes at Naked Security.
According to SophosLabs, the vast majority of the APTs we have seen in the past two months seek to exploit just a handful of vulnerabilities in Microsoft Office from 2010 and 2012.
Find out more about APTs
Read the SophosLabs article including three security tips.
Read the blog post at Naked Security by Paul Ducklin for his take on APTs.
Read the Sophos Blog post about how Sophos UTM protects you against APTs with the Advanced Threat Protection feature available in Sophos UTM Accelerated (9.2).
Free whitepaper: APTs explained
If you want to find out more about how APTs work and what you can do to protect yourself against them, download our free whitepaper (you will have to register).
Sophos in the news: UTM Accelerated 9.2, APTs, and the NSA’s blurred lines | Sophos Blog
[…] have seen a dramatic rise in the number of APT-style attacks spreading malware belonging to the Zbot/Zeus family. According to SophosLabs threat researcher Gabor Szappanos, who has been studying APTs for […]
How malware works: Anatomy of a drive-by download web attack (Infographic) | Sophos Blog
[…] malware known as Zbot can access your email or bank accounts. Another type of payload called ransomware can hold your […]
Sophos in the news: Microsoft Word zero day, email privacy, and data encryption | Sophos Blog
[…] security analyst, writes at Naked Security that the new threat has the telltale signs of other advanced persistent threat (APT) attacks exploiting Microsoft Office document […]
The next generation of the PlugX APT – new SophosLabs research | Sophos Blog
[…] we’ve written about before, financially-motivated cybercriminals are watching the development of APTs too – for example, the bad guys behind the Zeus […]
SophosLabs research uncovers new developments in PlugX APT malware | Sophos Blog
[…] research, he’s documented how “common” malware authors, such as those behind the Zbot/Zeus financial malware, had begun borrowing techniques from APT […]