| Name | Zeus |
| Additional Names | Zbot, Zeus Panda |
| Type of Malware | Banking Trojan |
| Location – Country of Origin | China |
| Date of initial activity | 2007 |
| Associated Groups | Blackshades, Zeus Gameover, Trickbot, Ryuk |
| Motivation | The two primary goals of the Zeus trojan horse virus are stealing people’s financial information and adding machines to a botnet. |
| Attack Vectors | Drive-by download and phishing attacks |
| Targeted System | Windows |
Overview
ZeuS is a modular banking trojan that uses keystroke logging to compromise credentials when a victim visits certain banking websites. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that incidents classified as ZeuS may actually be other malware using parts of the original ZeuS code.
Targets
Attacked regular people.
Tools/ Techniques Used
Zeus malware can give attackers full access to infected machines. While the original Zeus variant primarily utilized man-in-the-browser keyloggers to gain access to an infected computer’s banking credentials and other financial information, many forms of the Zeus virus can also be used to add CryptoLocker ransomware to an operating system or add infected computers to a botnet to perform distributed denial-of-service (DDoS) attacks.
Some of the most common Zeus variants are:
Gameover Zeus: The most dangerous Zeus variant, Gameover Zeus malware allows the people who deploy it to launch a potentially devastating ransomware attack on a computer running Microsoft Windows.
SpyEye: This banking malware works similarly to Zeus malware, and in fact the programs are closely related to each other.
Ice IX: After the Zeus virus was leaked, the Ice IX system was the first botnet based on its source code. It uses rogue forms to steal financial information such as your banking credentials.
Carberp: This banking trojan impacts older versions of Windows, such as Windows XP and Windows 7. Someone combined this financial trojan with Zeus’s code base to create a malware called “Zberp.”
Shylock: This malware infection uses man-in-the-browser attacks to steal bank account information as well.
Impact / Significant Attacks
In 2007, hackers in Eastern Europe used it to target the United States Department of Transportation.
Indicators of Compromise (IoCs)
Domains
cylt01cloudsim01[.]safebreach[.]net
MD5 Hashes
2db9ee63581f0297d8ca118850685602
416cfb5badf096eef29731ee3bcba7ce
ae6cdc2be9207880528e784fc54501ed
8ad4fb848a323b62036ea463fcf58993
