{"id":3457,"date":"2014-12-22T17:57:12","date_gmt":"2014-12-22T17:57:12","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=3457"},"modified":"2020-02-26T10:58:43","modified_gmt":"2020-02-26T15:58:43","slug":"chthonic-son-of-zeus-a-new-endurance-trial-for-banks","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/chthonic-son-of-zeus-a-new-endurance-trial-for-banks\/3457\/","title":{"rendered":"Chthonic, son of ZeuS: a new endurance trial for banks"},"content":{"rendered":"<p>A new malware is testing the mettle of financial organizations worldwide. Banks in the UK, Spain, the US, Russia, Japan, and Italy make up the majority of its potential targets. Its name is <a href=\"https:\/\/www.kaspersky.com\/about\/news\/virus\/2014\/Kaspersky-Lab-Discovers-Chthonic\" target=\"_blank\" rel=\"noopener nofollow\">Trojan-Banker.Win32.Chthonic<\/a> \u2013 or just Chthonic. So far it has hit over 150 different banks and 20 payment systems in 15 countries. The Trojan attacks end-users \u2013 the banks\u2019 clients \u2013 not the infrastructure of the banks.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>#Chthonic, son of #ZeuS: a new endurance trial for banks #enterprisesec<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F4oBo&amp;text=%23Chthonic%2C+son+of+%23ZeuS%3A+a+new+endurance+trial+for+banks+%23enterprisesec\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Chthonic is \u2013 unsurprisingly \u2013 a <a href=\"https:\/\/business.kaspersky.com\/hunting-the-hydra-why-gameover-zeus-botnet-is-here-to-stay\/2265\" target=\"_blank\" rel=\"noopener nofollow\">ZeuS<\/a>-related <a href=\"https:\/\/business.kaspersky.com\/a-healthy-equinophobia-trojan-horses-explained\/\" target=\"_blank\" rel=\"noopener nofollow\">Trojan<\/a>, an evolved descendant of the most popular, notorious, and actively used banking Trojan. What sets it apart is a modular structure and a vast list of known data stealing capabilities, which makes Chthonic look like a full-blown cyber-espionage tool. However, it isn\u2019t classified as such \u2013 yet.<\/p>\n<p style=\"text-align: center;\">\n<\/p><p><strong>Chthonic is able to:<\/strong><\/p>\n<ul>\n<li>Collect system information;<\/li>\n<li>Steal saved passwords;<\/li>\n<li>Log keystrokes;<\/li>\n<li>Enable remote access;<\/li>\n<li>Record video via web-camera (if present)<\/li>\n<li>Record sound via microphone (if present)<\/li>\n<li>Inject its code into Internet Explorer process (thus spoofing the web pages)<\/li>\n<\/ul>\n<p>Web injectors are the malware\u2019s primary weapons. This Trojan is capable of inserting its own code and images onto the bank pages loaded by the computer\u2019s browser. This allows the attackers to obtain the victim\u2019s phone number, one-time passwords and PINs, as well as any login and password details entered by the user.<\/p>\n<p>Victims are infected through compromised web links or by email attachments with a .DOC file that installs a backdoor for the malware. The attachment contains a specially crafted RTF document, designed to exploit the <a href=\"http:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-1761\" target=\"_blank\" rel=\"noopener nofollow\">CVE-2014-1761<\/a> vulnerability present in Microsoft Office products. The flaw was first observed being exploited in the wild in March 2014. For information on affected products see <a href=\"https:\/\/technet.microsoft.com\/library\/security\/ms14-017\" target=\"_blank\" rel=\"noopener nofollow\">this advisory<\/a> from Microsoft.<\/p>\n<p>Once downloaded, the downloader injects its code into the <em>msiexec.exe<\/em> process \u2013 which is Windows\u2019 installer process. Then a number of malicious modules are installed on the machine. It is possible that there are unknown modules present in the wild.<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2014\/12\/06020233\/chthonic_wide-1.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-3458\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2014\/12\/06020233\/chthonic_wide-1.jpg\" alt=\"chthonic_wide\" width=\"1000\" height=\"667\"><\/a><\/p>\n<p>What is encouraging is that many code fragments used by Chthonic to perform web injections can no longer be used because banks have changed the structure of their pages and, in some cases, the domains as well. But it is just a matter of time before the Chthonic operators adjust their methods.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Chthonic is a Trojan that\u2019s a bit more than just a banking #malware<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F4oBo&amp;text=Chthonic+is+a+Trojan+that%26%238217%3Bs+a+bit+more+than+just+a+banking+%23malware\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>We began by saying the banks are under attack, while it is users who are directly attacked by the Trojan. As a matter of fact, eventual victims of Chthonic \u2013 as well as other banking Trojans \u2013 are banks. End-users <a href=\"https:\/\/business.kaspersky.com\/survey-security-concerns-hold-back-payment-systems-usage\/2447\" target=\"_blank\" rel=\"noopener nofollow\">tend to expect the banks to reimburse their losses from Trojans and fraud<\/a>, and would blame the financial organizations for any security shortcomings, even if the users were actually responsible.<\/p>\n<p>Chthonic, again, is a ZeuS\u2019 spawn. That means the ZeuS malware family keeps evolving, and isn\u2019t going away any time soon. Chthonic\u2019s multistage infection methods, modular design, and capabilities make it look like a complete cyber-espionage solution. It also shows that the border between \u201ccyber weaponry\u201d and \u201ccommon malware\u201d becomes more and more vague (if any of it still exists), so it won\u2019t be surprising if in a few months we\u2019ll hear about some <a href=\"https:\/\/business.kaspersky.com\/the-crystal-ball-of-facts-2015-apt-predictions\/3417\" target=\"_blank\" rel=\"noopener nofollow\">APT group<\/a> that employs Chthonic with some added capabilities to steal data other than just banking credentials.<\/p>\n<p>Technical details on Chthonic are available on <a href=\"https:\/\/securelist.com\/blog\/virus-watch\/68176\/chthonic-a-new-modification-of-zeus\/\" target=\"_blank\" rel=\"noopener\">Securelist<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new malware hits banks and their clients worldwide. Codenamed Chthonic, it is actually an evolved version of notorious Zeus banking Trojan.<\/p>\n","protected":false},"author":209,"featured_media":15803,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[734,2267,282,36,698],"class_list":{"0":"post-3457","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-banking-trojans","10":"tag-chthonic","11":"tag-cybersecurity","12":"tag-malware-2","13":"tag-zeus"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/chthonic-son-of-zeus-a-new-endurance-trial-for-banks\/3457\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/chthonic-son-of-zeus-a-new-endurance-trial-for-banks\/3457\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/chthonic-son-of-zeus-a-new-endurance-trial-for-banks\/3457\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/banking-trojans\/","name":"banking trojans"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3457","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=3457"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3457\/revisions"}],"predecessor-version":[{"id":33423,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3457\/revisions\/33423"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15803"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=3457"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=3457"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=3457"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}