DEV Community

jordanricky1604-ship-it
jordanricky1604-ship-it

Posted on • Originally published at jordanricky1604-ship-it.github.io

Malware Deep Dive: Zbot

Deep Dive: Zbot (Banking_Trojan)

Today we are analyzing the Zbot malware family, which falls under the Banking_Trojan category.

Overview

Zbot is better known as Zeus, one of the most influential banking trojans in malware history, designed to steal banking information and other sensitive credentials for exfiltration. As MITRE ATT&CK notes for the Zeus Panda variant, the original Zeus source code was leaked in 2011, which let many threat actors build new variants on top of it (including Citadel, Gameover Zeus, and Zeus Panda). It primarily targets Windows and captures credentials through browser-based techniques such as web injection and keylogging.

Known Aliases

Security vendors and researchers may refer to this family by several different names, including:

  • Zeus
  • Zbot
  • Zeus Panda
  • Wsnpoem

MITRE ATT&CK Techniques

This family has been observed utilizing the following techniques:

Frequently Asked Questions

What is Zeus/Zbot?
A landmark banking trojan that steals banking credentials and other sensitive data, typically by capturing what victims enter into their browser.

Why is the 2011 Zeus source-code leak important?
MITRE notes the original source code leaked in 2011, allowing threat actors to build many new variants from it, which shaped a whole generation of banking malware.

What variants came from Zeus?
Well-known descendants include Citadel, Gameover Zeus, and Zeus Panda, among others.

How does Zeus steal banking details?
Mainly through browser session hijacking / web injection and keylogging, capturing credentials as they are entered on banking sites.

What systems does Zeus target?
It primarily targets Windows, with the Zeus Panda variant documented across Windows XP through Windows 10.

How did Zeus typically spread?
Historically through phishing emails and drive-by downloads from compromised or malicious websites.

How can I protect financial accounts from trojans like Zeus?
Use multi-factor authentication, keep your system and browser patched, avoid suspicious attachments and links, and monitor accounts for unauthorized activity.

Where is the authoritative reference?
MITRE ATT&CK's Zeus Panda entry (S0330), linked on this page, documents the variant's techniques and the 2011 source leak.


This article is part of the Malware Families Catalog. Visit the original page for more details and interactive data! You can also find the full dataset on Hugging Face and Kaggle.

Top comments (0)