M86 Security Reveals How Zeus Trojan Targets U.K. Bankers

New research from M86 Security has uncovered another botnet built on a version of the Zeus Trojan that is using exploit kits, malicious ads and malware to steal money and bank credentials from people in the United Kingdom.

Researchers at M86 Security have uncovered yet another botnet built on the Zeus Trojan that is swiping bank information from people in the United Kingdom.

The attack is still ongoing, and is known to have stolen ???675,000 (nearly $1.1 million) from customers between July 5 and Aug. 4. According to M86, the crew behind the scheme is using a combination of exploit toolkits and the Zeus v3 Trojan, and is responsible for stealing data from roughly 3,000 user accounts.

"While analyzing [information on malicious sites] we found patterns of U.K.-centric legitimate Websites that were infected with malware," said Bradley Anstis, vice president of technical strategy for M86. "We purposely infected ourselves with this malware, the infected machine then started communicating back with its command and control servers. This is how we zeroed in on this particular attack. The data was found on the command and control infrastructure operated by the attackers."

In addition to Zeus, the attackers are using the Eleonore and Phoenix exploit kits, both of which are known for exploiting victims' browsers to install Trojans onto their PCs. The process often started with malicious banner ads placed on legitimate Websites. Users who clicked on the ads would be directed to an infected Website containing the exploit kits. The user would then be redirected to the exploit kit, and their PC would become infected, the researchers found.

With Zeus v3 on their PC, when the victim logged into their online bank account their login ID, date of birth and a security number would be transferred to the command and control server. Once the user entered the transaction portion of the site, the Trojan would report to the C&C and receive new JavaScript to replace the original JavaScript from the bank. When the user submitted the transaction form, more data was sent to the C&C system instead of the bank.

"After analyzing the data, the system determined whether the user had enough money in the account," according the report. "It selected the most appropriate mule account to retrieve the money, wrapped all the data, and sent it back to the Trojan installed on the victim's machine."

Afterwards the Trojan would update the data in the form and send it to the bank to complete the transaction, with the bank's response reported back to the C&C system by the malware.

This is far from the first time Zeus has been linked to theft of bank information. Last week, researchers at Trusteer reported finding a 100,000-strong botnet built on Zeus v2 that was targeting bankers in the U.K. as well. In that case, the malware pilfered all kinds of user data, including credit and debit card information and browser cookies.

According to Anstis, the botnet uncovered by M86 was only targeting customers of one institution, and the company is sharing its findings with law enforcement.

"The only link we have is the location of the command and control servers in Eastern Europe, but the actual operators could be anywhere," he said.