Malicious server used to propagate Zbot shut down

By

A criminal operation has been halted by the shutdown of a malicious server in the Cayman Islands, but the attackers are likely to be looking for a new home.

Prevx researchers recently discovered a site where the trojan Zbot had uploaded the FTP login credentials from more than 68,000 websites, including companies such as Bank of America, BBC, and Symantec. Since then, more than 20,000 additional stolen FTP credentials were used to inject malicious scripts on those sites, Jacques Erasmus, director of research at Prevx, told SCMagazineUS.com. But the attacker's server, based in the Cayman Islands, was shut down on earlier this week.

Up until last week, when visiting a compromised website, users were being infected (by means of a drive-by download) with Zbot, a trojan that captures keystrokes to obtains login credentials and credit card information, Erasmus said. Once a user was infected, the trojan harvested FTP credentials and sent them back to the attack server.

This week, however, a second component of the attack was activated -- the infected computers began “calling home”: communicating with the attack server in the Cayman Islands. When they began calling home, FTP credentials were pushed to the infected computers, with instructions to attempt logging on to sites associated with the credentials (that is, websites whose FTP credentials were stolen) and -- if successful -- to inject them with malicious scripts.

“Since Monday it started infecting a lot of websites, embedding script in the websites,” Erasmus said. “Anyone who visits one of these websites will also get infected.”

One infected machine attempted to inject malicious scripts into 85 different domains in a five-minute period, Erasmus said.

He said that because the controlling server in the Cayman Islands is currently “dead”, no additional websites are being injected with malicious scripts. What remains is a lot of compromised websites that are now further propagating the Zbot trojan. Erasmus said that the big-name websites whose FTP credentials were stolen have all been contacted and those companies canceled the accounts that were harvested. 

Though the attack server is currently down, it looks like those responsible for the threat are trying to move their operations to a different server, Erasmus said.

“Similar servers are popping up and we are trying to figure out if this is the same group,” Erasmus said.

See original article on scmagazineus.com

Malicious server used to propagate Zbot shut down
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
botnetcredentialsftpinfectedislandsmalicioussecurityservertrojanzbot

Sponsored Whitepapers

See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy

Events

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident
Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?