Atmos: yet another ZeuS variant is threatening businesses

April 22, 2016

Cybersecurity researchers rang the alarm bells about a new banking malware codenamed Atmos. This nasty creature tries to steal banking credentials from the infected PCs, and then drops ransomware (namely – Teslacrypt) as a farewell “gift”. What is most peculiar about this Trojan, however, is that it turns out to be a part of the infamous ZeuS strain of banking malware.

ZeuS is a long-standing cybersecurity nemesis. It first surfaced back in 2007, becoming a AAA-level threat as its various revisions and modifications formed one of the largest, if not the largest, botnets on the Web. Back in 2013, it had infected an estimated 13 million PCs worldwide. Members of the associated cybercrime ring are rumored to have stolen up to $70 million using this Trojan.

In 2010, the  FBI conducted its first major crackdown against the Trojan. More than 100 people were arrested on charges of conspiracy to commit bank fraud and money laundering, over 90 in the U.S., and others in the UK and Ukraine; however this didn’t bring ZeuS’ botnets down completely.

In 2011, ZeuS’ source code was “leaked” on the Web, allowing for the creation of numerous derivatives.

zeUs_1000

In 2012, Microsoft’s Digital Crimes Unit went in. Together with a number of partners from Financial Services, a large Operation b71 carried out in 2012 disrupted the largest ZeuS botnets at once. While the operation was a success, no one really expected to eradicate ZeuS completely.

Later on, in 2014, a large number of major national and international law enforcement agencies, along with multiple security companies and academic researchers, carried out Operation Tovar, an effort of truly epic proportions, in order to bring down botnets created by Gameover ZeuS, a successor to the original ZeuS. The operation was at least partially successful: communications between Gameover ZeuS and its C&C servers was cut down temporarily. Cybercriminals’ attempts to send a copy of their database to a safe location was intercepted by the cybercrime fighters.

Gameover ZeuS was especially problematic since it was not only stealing the credentials, but also dropped ransomware (then the dreaded Cryptolocker). As part of dismantling Gameover’s network, crime fighters managed to obtain keys which allowed any of the 500,000 Gameover victims to unlock their files.

But what’s with ZeuS? Its creator is apparently still at large, as are the owners of Gameover, Chtonic – yet another derivative, – and many others. The source code of ZeuS is still being upgraded and improved, and new malware is being built upon the original code, using just some parts of it.

Such as Web injects, which still proves to be very usable and useful to cybercriminals. Atmos may be different from the original ZeuS in many regards, but it does use the very same injects ZeuS has been infamous for.

Security researchers say Atmos itself is representative of a new breed of malware, developed “very precisely”, in order to carry out targeted attacks. Developers go to great pains to fine-tune their new creation; it is still at the early stages, but already poses a sensitive threat. Experts say Atmos may later become much more aggressive, attacking not just banks but other industries too.

The best way to protect themselves is to deploy a robust, multilayered protective solution, capable of preventing malware (ransomware included) from slipping in, as well as protecting enterprises from fraud and targeted attacks. Check out Kaspersky Lab’s Enterprise Security solutions.