Zbot (aka Prg) banking Trojan distribution

A few days ago SecureWorks published an interesting article describing a new variant of a banking Trojan family they refer to as ‘Prg’. Of course, banking Trojan attacks are an everyday occurrence. However, this one is a little more interesting than the norm thanks to some of the subtle tricks it uses. These include:

  • behavior specific to the targeted financial institutions which can be updated (the Trojan connects back to the hacker for commands and configuration files)
  • keystroke simulation
  • server-side automation used to produce many minor variants of the Trojan (to evade AV detection)

Sophos products detect this threat as Zbot (the generic detection for the family is Mal/Zbot-A). Numerous attacks delivering a Zbot payload have been detected within our automation systems. The hackers are actively using web attacks to infect victims with this banking malware, using a variety of exploits hosted on several domains.

Some of the attacks are fairly simple – a single malicious script attempts to exploit the local browser to infect the victim with a Zbot variant when they browse the page.


Others are a little more complex, with more ‘feeder’ pages loading the malicious content to hit the victim with exploits and infect them with Zbot (click to enlarge, and again if necessary to ensure you expand image within browser window).


Some show the hackers not being shy to use additional exploits to attack victims:


As you will notice from the above flowcharts, we are providing good proactive detection. Not only for the Zbot trojans themselves, but also for the malicious scripts used to load and deliver it. These detections include Mal/ObfJS-C, Mal/ObfJS-V, Mal/ObfJS-S, Troj/Unif-B and Mal/Iframe-F.

As to the best way to protect yourselves, well the usual rules apply really. Aside from the proactive Zbot and malicious script detections illustrated above, a number of the domains used in the attacks are not new to Sophos, and we have been blocking access to them for several weeks for users of our web appliances. Furthermore, even if the Zbot were not already proactively detected, the runtime protection at the desktop would catch Zbot as it attempts to install itself: