Research shows that this malware family is an offshoot of ZeusVM malware. However, the Trojan-Banker.Win32.Chthonic family is significantly different from its predecessors.
In this newer malware, the cybercriminals use code obfuscation techniques observed previously in the Andromeda bot family. To complicate attempts to analyze the malware and its network traffic, cybercriminals encrypt malware components (such as configuration files) using the same algorithms and methods seen with the Zeus AES and Zeus V2 Trojans. As with the ZeusVM malware family (also known as KINS), Trojan-Banker.Win32.Chthonic encrypts its files with the help of a virtual machine.
Trojans of this family are distributed by cybercriminals in spam messages designed to exploit vulnerabilities, or by the Andromeda bot, which downloads the malware to an infected computer.
The initial Trojan-Banker.Win32.Chthonic loader downloads a more advanced loader, which then downloads the main module of the Trojan.
Trojans in this family have a modular architecture, with a main component that supports the following downloadable modules:
• info, collects information about the infected computer.
• pony, steals saved passwords.
• klog, intercepts keystrokes.
• http, inserts a malicious script into web pages and intercepts data entered in online forms in web browsers.
• vnc, enables cybercriminals to remotely connect to the infected computer and perform banking transactions.
• socks, a separate SOCKS proxy server.
• cam_recorder, enables cybercriminals to record video and audio from a computer’s webcam and microphone.
Geographical distribution of attacks by the Trojan-Banker.Win32.Chthonic family
Geographical distribution of attacks during the period from 03 June 2015 to 03 June 2016
Top 10 countries with most attacked users (% of total attacks)
||% of users attacked worldwide*
* Percentage among all unique Kaspersky Lab users worldwide attacked by this malware