Chthonic, son of ZeuS: a new endurance trial for banks

December 22, 2014

A new malware is testing the mettle of financial organizations worldwide. Banks in the UK, Spain, the US, Russia, Japan, and Italy make up the majority of its potential targets. Its name is Trojan-Banker.Win32.Chthonic – or just Chthonic. So far it has hit over 150 different banks and 20 payment systems in 15 countries. The Trojan attacks end-users – the banks’ clients – not the infrastructure of the banks.

Chthonic is – unsurprisingly – a ZeuS-related Trojan, an evolved descendant of the most popular, notorious, and actively used banking Trojan. What sets it apart is a modular structure and a vast list of known data stealing capabilities, which makes Chthonic look like a full-blown cyber-espionage tool. However, it isn’t classified as such – yet.

Chthonic_640

Chthonic is able to:

  • Collect system information;
  • Steal saved passwords;
  • Log keystrokes;
  • Enable remote access;
  • Record video via web-camera (if present)
  • Record sound via microphone (if present)
  • Inject its code into Internet Explorer process (thus spoofing the web pages)

Web injectors are the malware’s primary weapons. This Trojan is capable of inserting its own code and images onto the bank pages loaded by the computer’s browser. This allows the attackers to obtain the victim’s phone number, one-time passwords and PINs, as well as any login and password details entered by the user.

Victims are infected through compromised web links or by email attachments with a .DOC file that installs a backdoor for the malware. The attachment contains a specially crafted RTF document, designed to exploit the CVE-2014-1761 vulnerability present in Microsoft Office products. The flaw was first observed being exploited in the wild in March 2014. For information on affected products see this advisory from Microsoft.

Once downloaded, the downloader injects its code into the msiexec.exe process – which is Windows’ installer process. Then a number of malicious modules are installed on the machine. It is possible that there are unknown modules present in the wild.

chthonic_wide

What is encouraging is that many code fragments used by Chthonic to perform web injections can no longer be used because banks have changed the structure of their pages and, in some cases, the domains as well. But it is just a matter of time before the Chthonic operators adjust their methods.

We began by saying the banks are under attack, while it is users who are directly attacked by the Trojan. As a matter of fact, eventual victims of Chthonic – as well as other banking Trojans – are banks. End-users tend to expect the banks to reimburse their losses from Trojans and fraud, and would blame the financial organizations for any security shortcomings, even if the users were actually responsible.

Chthonic, again, is a ZeuS’ spawn. That means the ZeuS malware family keeps evolving, and isn’t going away any time soon. Chthonic’s multistage infection methods, modular design, and capabilities make it look like a complete cyber-espionage solution. It also shows that the border between “cyber weaponry” and “common malware” becomes more and more vague (if any of it still exists), so it won’t be surprising if in a few months we’ll hear about some APT group that employs Chthonic with some added capabilities to steal data other than just banking credentials.

Technical details on Chthonic are available on Securelist.