The researchers say that the "Chthonic" Trojan is an evolution of ZeusVM, although it has undergone a number of significant changes.
The techniques used to infect victim machines with "Trojan-Banker.Win32.Chthonic" include sending emails containing exploits or downloading the malware to victim machines.
When sending messages containing an exploit, cybercriminals attached a specially crafted RTF document, designed to exploit the CVE-2014-1761 vulnerability in Microsoft Office products. The file has a .DOC extension to make it look less suspicious.
In the event of successful vulnerability exploitation, a downloader for the Trojan was downloaded to the victim computer.
Trojan-Banker.Win32.Chthonic has a modular structure. It is able to
collect system information; steal saved passwords; initiate remote access or recording video from a web camera.
The impressive set of functions enables the malware to steal online banking credentials using a variety of techniques. In addition, VNC and cam recorder modules enable attackers to connect to the infected computer remotely and use it to carry out transactions, as well as recording video and sound if the computer has a webcam and microphone.
But Web injections are Chthonic's main weapon, according to Kaspersky . They enable the Trojan to insert its own code and images into the code of pages loaded by the browser. This enables the attackers to obtain the victim's phone number, one-time passwords and PINs, in addition to the login and password entered by the victim.
For example, for one of the Japanese banks the Trojan hides the bank's warnings and injects a script that enables the attackers to carry out various transactions using the victim's account.
The script can also display various fake windows in order to obtain the information needed by the attackers.
Kaspersky's analysis of attacks against customers of Russian banks has uncovered an unusual web injection scenario. When opening an online banking web page in the browser, the entire contents of the page is spoofed, not just parts of it as in an ordinary attack. From the technical viewpoint, the Trojan creates an iframe with a phishing copy of the website that has the same size as the original window.