Skip to main content

Chthonic: Fresh strain of Zeus trojan virus causing yet more havoc for banks

A new online banking Trojan is in town, and Chthonic, as it’s known, is an offshoot of the Zeus malware which has previously caused a lot of pain and misery for financial institutions and their customers.

Trojan-Banker.Win32.Chthonic, to give the nefarious piece of code its full name, has spread itself over a wide area already, and according to security firm Kaspersky, has hit no less than 150 banks across 15 different countries, including the UK and the US, and also Russia and Japan.

As ever, this Trojan is after your banking password, and uses various functions to try and get that and other details, including key logging and even the computer’s webcam, with the latter being used to record video and sound. The malware can also enable remote access to the target computer.

Infection can happen via dodgy links to websites loaded with the virus, or email attachments with the payload in a document file.

Kaspersky notes that Chthonic uses web injectors to insert its own code and images into an online banking web page as it’s loaded in the browser, allowing the capture of sensitive details being entered.

Levels of sophistication vary, apparently, but Kaspersky notes that in the case of one Japanese bank, the Chthonic malware actually hid the bank’s warnings and injected a script that allowed attackers to carry out transactions using the victim’s account.

This is definitely one piece of malware you need to watch out for, particularly as it has hit UK targets. Doubtless we can expect other offshoots of Zeus in the future, too, as online banking is still one of the juiciest targets for cyber-criminals (even if targets like SMBs with reams of sensitive data are becoming more sought after as they’re much softer propositions).

Yury Namestnikov, Senior Malware Analyst at Kaspersky Lab, commented: “The discovery of Chthonic confirms that the ZeuS Trojan is still actively evolving … Chthonic is the next phase in the evolution of ZeuS. It uses Zeus AES encryption, a virtual machine similar to that used by ZeusVM and KINS, and the Andromeda downloader – to target ever more financial institutions and innocent customers in ever more sophisticated ways.”