New versions of Zeus banking Trojan continue to emerge, with the latest one discovered showing high levels of customization for emptying bank accounts of customers of the largest banks in Canada.

Among the targeted financial institutions there are Bank of Montreal, Royal Bank of Canada, and the National Bank of Canada, researchers have found.

Trojan hooks into the browser, bypasses SSL mechanism

Just like the previous strains of the malware, the freshly detected one relies on web injection to modify or serve fraudulent web pages in real time and insert rogue content designed to steal log-in information (social security number, card number and expiration date, PIN, driver’s license number).

In many cases, the difference between the original and the fake one is very difficult to notice, unless the user knows what type of information should never be divulged. In this case, asking for the SSN and the PIN should be sufficient to spark concern.

On the other hand, the Trojan maintains the appearance of a safe connection as it bypasses the SSL security mechanism in the web browser. As such, the page seems to be coming from the legitimate server because the SSL connection to the bank’s server is never broken, but tampered with using the man-in-the-middle technique.

Crooks use sophisticated control panel

Researchers at SentinelOne managed to catch a sample of the new piece of Zeus and were also able to access the control panel the cybercriminals used to manage the financial details pulled from the compromised system.

The amount of details the crooks have access to through Zeus is impressive as the logs provide not only the captured credentials to access the bank account, but also the balance available in each detected account.

Antivirus detection for the new variant of the malware was non-existent at the moment of the discovery, researchers said in a blog post on Wednesday. However, they did not mention the products that were used to test current detection.

Also, if the sample has been uploaded to a multi-engine service such as VirusTotal, it is very likely that at least major antivirus products can label the file as a threat.

An additional discovery made by SentinelOne is a “Drop” form that serves for customizing each attack.

“For example, criminals can specify the destination bank account to transfer stolen funds, including Drop Name, City, Country, IBAN account number and memo about the transaction. The system can automatically calculate the profit percentage the person who is receiving the stolen money (called a Mule) will keep before transferring the balance to the attacker. The attackers can also specify minimum and maximum balances for accounts targeted and minimum and maximum transfer amounts,” says Anton Ziukin.