Zeus’s legacy lives on as crooks target banking customers in the US and Europe

It shows how one piece of code is still inspiring criminals years after law enforcement identified it as pernicious.
(Getty Images)

Over a decade since the infamous Zeus malware surfaced, scammers are still using variants of that code to try to steal data from banking customers on multiple continents.

Since the beginning of the year, various criminal hacking groups have been using a descendant of Zeus in more than 100 phishing campaigns and some 700,000 emails against people in Australia, Canada, Germany, Poland, and the U.S., email security company Proofpoint said this week. Like countless other hackers around the world, they are trying to capitalize on fears around the coronavirus to slip their code onto victim computers.

The ZLoader campaign shows how one piece of code is still inspiring criminals years after law enforcement identified it as pernicious. After malicious hackers had used Zeus malware to steal over $100 million from victims, the Department of Justice disrupted a Zeus-based botnet in 2014 and put a $3 million bounty out for information leading to the arrest of Zeus’s alleged creator. But with the code available to other criminals, new Zeus variants have continued to pop up.

ZLoader, an updated version of the Zeus code, is designed to swipe login information of customers of certain banks, which Proofpoint did not name. The code is capable of using a desktop-sharing system on the target’s computer to siphon off money from a bank account. It was not clear how many people, if any, were hacked in the campaign. Proofpoint said it protects its customers from the threat. Researchers from IBM also noted a surge in ZLoader scams in March.


“It points to the effectiveness of Zeus in that its various variations can still inflict harm,” said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. “It also shows the commitment of malware authors and threat actors who are willing to invest in development, maintenance, distribution, and configuration of injects.”

Several different hacking groups — all believed to be based in Eastern Europe or Russia — have been bombarding organizations with ZLoader-laced emails since the start of the year, Proofpoint said. The COVID-19-related emails have varied. One claims to advise the recipient that they may have come into contact with someone who had coronavirus. Another email even pretends to warn users of COVID-19 scamming — while attempting to scam them.

It’s part of a wave of hacking in the last two months that use trojans to try to steal money. Much of the activity uses COVID-19 themed communications to try to dupe victims who are closely following the news. Banks and financial threat-sharing have responded by issuing warnings to their customers.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts