ZeuS Banking Trojan Resurfaces As Atmos Variant

Atmos banking malware has perilous pedigree that includes Citadel and ZeuS.

Old nemeses die hard, especially when you’re banking malware named ZeuS. According to Denmark-based Heimdal Security, the potent 9-year-old malware ZeuS has morphed into the up-and-coming Atmos malware – now targeting banks in France.

Researchers are warning that the criminals behind Atmos have been putting the finishing touches on this latest malware threat – perfecting how, where and what it will target. For now, Heimdal Security said, it’s focused on banks, but tomorrow the sky is the limit.

A digital analysis of Atmos shows the malware is part of a ZeuS strain that dates back to 2007. That’s when ZeuS malware earned notoriety for compromising nearly 75,000 websites owned by the likes of ABC, Bank of America and Oracle. In 2013, the ZeuS code was used to construct Citadel malware, known for its cunning ability to steal personal, banking and financial information.

“We had hoped to have seen the last Citadel and ZeuS long ago,” said Morten Kjaersgaard, CEO of Heimdal Security. “But this malware strain has demonstrated astonishing resiliency as malware authors continue to adapt the base code and elements for modern times,” he said.

Heimdal Security said it has observed Atmos active in the wild for the past 30 days, however the malware dates back to late 2015 when it was first identified. The security firm said Atmos is closely tied the ZeuS malware in the way it utilizes the same web injects that ZeuS was infamous for. Recent strains, the security firm said, appear to be tied to configuration servers based in Canada, United States, Russia and Turkey.

Kjaersgaard said, at this early stage there is no one predictable attack vector or infection scenario for Atmos. Analysis of current strains of Atmos, he said, have spread via malware infected banner ads, booby-trapped websites and via phishing attacks.

Once infected, Atmos will scrape data from its target computer or simply hide out and try to collect user credentials. Phase two, he said, includes a ransomware attack. Atmos is an equal opportunity threat, Kjaersgaard said. “Once Atmos attackers have stolen everything it can from your system they will throw some ransomware (Teslacrypt) on the system in an attempt to steal more from you.”

Heimdal Security say Atmos is representative of a new breed of malware, one where the authors go to great pains to develop malware very precisely. “These guys are tired of throwing spaghetti at the wall and seeing what sticks. Now they are taking their time, performing quality assurance test, slowly ramping up production and then launching calculated attacks,” Kjaersgaard said.

He said right now Atmos is at the early stages and predicts a wider more aggressive attack that looks far beyond France and the banking industry.

Suggested articles