IBM Trusteer closely follows developments in the financial cyber crime arena. Recently, we discovered a new remote overlay malware that is more persistent and more sophisticated than most current-day codes. In this post we will dive into the technical details of the sample we worked on and present ZE Loader’s capabilities and features. The parts that differ from other malware of this kind are:
Installation of a backdoor to the victim’s device
Remaining stealthy in the guise of legitimate software
Holding permanent assets on the victim’s device
Stealing user credentials.
Another aspect we examine here is the malware’s algorithms used in the encryption of its resources and events. We will suggest some tactics to detect the presence of ZE Loader on infected devices to mitigate its potential impact.
Overlay Malware Is an Enduring Threat
Overlay malware is not a new threat, nor is it very sophisticated. Yet, this malware category, which typically spreads in Latin America, Spain and Portugal, is an enduring one. We keep seeing it used in attacks on online banking users in those regions, and its success fuels the interest of cyber criminals to continue using it.
In the case of ZE Loader, we did see some new features that push the typical boundaries of overlay Trojans. For example, most malware in this category does not keep assets on the infected device, but ZE Loader does. In most cases, this sort of malware does not go to the lengths of hiding its presence; its lifecycle is short and the effort is futile. ZE Loader does use some stealth tactics.
Typical Attack Anatomy
A remote overlay attack follows a rather familiar path. Once the user ..
Support the originator by clicking the read the rest link below.
