The tale of the ever-evolving Zeus trojan and its variants

by chebbi abir

  • Zeus is distributed primarily via spam campaigns, phishing campaigns, and drive-by-downloads.
  • Zeus had compromised over 74,000 FTP accounts on websites of companies such as the Bank of America, NASA,, ABC, Oracle,, Cisco, Amazon, and BusinessWeek.

Zeus, also known as Zbot, is a trojan that steals system information, account credentials, and banking information from compromised systems. The trojan was first spotted in 2007 when it compromised the United States Department of Transportation. Zeus is distributed primarily via spam campaigns, phishing campaigns, and drive-by-downloads.

What are its capabilities – Zeus trojan’s capabilities include stealing credentials, downloading and executing additional files, deleting system files, shutting down or rebooting the compromised systems.

Zeus Trojan automatically collects any Internet Explorer, FTP, or POP3 credentials that are contained within Protected Storage (PStore). Zeus primarily collects information by monitoring websites included in the configuration file, intercepting the legitimate webpages, and manipulating the webpages to add additional data fields.

Zeus family trojans

Some of the Trojans of the Zeus family includes Gameover, SpyEye, Ice IX, Citadel, Atmos, Carberp, Bugat, Shylock, Torpig, Panda Banker, Sphinx, and Neutrino.

Zeus linked to ‘Rock Phish group’

In 2009, Zeus trojan infected nearly 154,000 computers and primarily targeted the United States, followed by Japan, Great Britain, Australia, Canada, Germany, Russia, Netherlands, Italy, and India.

Initially, Zeus was suspected to be linked to the “Rock Phish” threat group that targets financial institutions across the globe.

Zeus compromised 74000 FTP accounts

In June 2009, Zeus had compromised over 74,000 FTP accounts on websites of companies such as the Bank of America, NASA,, ABC, Oracle,, Cisco, Amazon, and BusinessWeek.

Zeus trojan linked with Citadel, Atmos, and SpyEye

In 2013, Zeus code was used to develop the Citadel malware. In 2016, researchers analyzed the Atmos malware that targeted banks in France and confirmed that Atmos is part of the Zeus trojan.

Slavik, the author of Zeus promoted his malware in the underground forums and sold Zeus source code to the SpyEye author Gribodemon aka Harderman.

Trojan.Bolik.1, Cryptolocker uses Zeus

In June 2016, Trojan.Bolik.1 targeted Russian banks. This trojan borrowed web injection from Zeus to steal banking credentials. In addition to this, Zeus has been used to install the infamous ransomware CryptoLocker.

Zeus distributed via phishing emails

In June 2016, a phishing campaign disguised as shipping notification from FedExtargeted users credentials. The phishing emails included malicious PDF attachment. The malicious attachment when opened distributed Fareit malware and Zeus trojan.

Zeus variant Panda Banker

In 2016, a new variant of the Zeus trojan dubbed ‘Panda’ or ‘Panda Banker’ was spotted targeting online banking services in Europe, North America, the U.K., Germany, the Netherlands, Poland, Canada, the U.S. Zeus Panda targets online payments, prepaid cards, airline loyalty programs, online betting accounts, and more.

Panda Banker targets Brazilian banks

After targeting Europe and North America, Zeus Panda shifted its focus towards Brazil. In July 2016, Panda targeted Brazilian banks and other online banking services. It targeted websites of local law enforcement, network security hardware vendors, Brazilian e-commerce loyalty programs and Boleto payments.

Zeus variant Sphinx

Another new variant of the Zeus trojan dubbed ‘Sphinx’ targeted online banking services and Boleto payments services in Brazil and Colombia.

Zeus distributed via MSG file attachments

In October 2016, a phishing campaign disguised as tax notification from Canada Revenue Agency targeted users’ banking credentials. The phishing emails included a malicious MSG file attachment that would download the Terdot downloader, which drops the Zeus trojan.

Floki Bot malware came from Zeus

According to a report published by Cisco Talos and Flashpoint, Floki bot malware is based on the source code that came from Zeus trojan. Researchers analyzed Floki bot malware and confirmed that Floki Bot is based on the Zeus trojan, which had its source code leaked in May 2011.

Zeus targets Firefox with Mozilla Font Pack

In May 2017, a new social engineering attack targeted Chrome users and Firefox users with Chrome font pack and Mozilla font pack. This attack campaign delivers Zeus trojan. This spam campaign tricks users into getting to a specific page that states an alert that ‘The HoeflerText font was not found’ and that they need to update the ‘Mozilla Font Pack’. Upon clicking the ‘Update’ button to update the Mozzila font pack, Zeus trojan gets executed.

Zeus variant Neutrino

In July 2017, another new variant of Zeus dubbed ‘Neutrino’ was spotted targeting credit card information from Point-of-Sale systems. Zeus Neutrino’s capabilities include downloading files, taking screenshots, searching processes by names, changing register branches, scanning for files by infected host names, and running proxy commands.

Zeus variants targeted victims during holidays

Zeus Panda targeted online shopping sites for credit card information during the Christmas holidays in 2017.

In January 2018, attackers launched a cyber attack using the official website of a Ukraine-based accounting software developer to distribute a new variant of Zeus over a Ukrainian holiday.

Zeus Panda’s three campaigns

In May 2018, researchers observed Zeus Panda’s three campaigns. The first campaign targeted the cryptocurrency exchanges, The second campaign targeted e-commerce, entertainment, and social media platforms such as Amazon, Facebook, Twitter, Instagram, MSN,, YouTube, Flickr, Microsoft, Gmail, Yahoo, and Japanese adult sites. The third campaign targeted financial organizations in the US and Canada including Wells Fargo and CitiBank.

Zeus Panda spreading via Emotet

In October 2018, Zeus Panda was spotted distributed via the Emotet banking malware’s distribution platform and targeted victims in the US, Canada, and Japan. Its primary goal was stealing credit card data, bank account information, and online wallets.

To read the original article:


Interdit de copier  ce contenu