Research

Ice IX, the first crimeware based on the leaked ZeuS sources

After rumors about the supposed merger between SpyEye and ZeuS, and the public release of the source of the latter, it was logical that the range of possibilities opened up even more for new cybercriminals into the ecosystem of crimeware.

Consistent with this, it was only a matter of time for the emergence of new packages based on ZeuS crimeware, which is now realized. Ice IX Botnet is the first new generation of web applications developed to manage centralized botnets through the HTTP protocol based on leaked ZeuS source code.

The crimeware of this style is designed to steal banking information. So, it is very clear that we must focus attention on these threats and take into account that this “modified version of ZeuS” has been In-the-Wild since the beginning of year. The following picture is evidence Amazon Elastic Compute Cloud (Amazon EC2) data theft by this browser hooking malware:

The latest version of Ice IX Botnet is 1.0.5, and it is selling for a very competitive $1800 in the underground markets.

It is clear that from now on, more new crimeware will be based on ZeuS code. New developers, hoping to profit from cybercrime, will attempt to create their own new alternatives based on this source.

At Kaspersky Lab, we investigate the impact of not only this particular threat but also new emerging crimeware. We work to keep you informed!

Ice IX, the first crimeware based on the leaked ZeuS sources

Your email address will not be published. Required fields are marked *

 

Reports

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox