{
	"id": "487ce24f-9d71-4519-9bd5-665271748ba3",
	"created_at": "2026-04-06T00:13:43.329938Z",
	"updated_at": "2026-04-10T13:12:49.918165Z",
	"deleted_at": null,
	"sha1_hash": "21e27c7e3f1b1a1e51697c29fc19dec90655dc63",
	"title": "Hiding in plain sight: a story about a sneaky banking Trojan | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2009235,
	"plain_text": "Hiding in plain sight: a story about a sneaky banking Trojan |\r\nMalwarebytes Labs\r\nBy Jérôme Segura\r\nPublished: 2014-02-16 · Archived: 2026-04-05 12:54:59 UTC\r\nThe Zeus/Zbot Trojan is one the most notorious banking Trojans ever created; it’s so popular it gave birth to many\r\noffshoots and copycats.\r\nThe particularity of Zeus is that it acts as a “man-in-the-browser“ allowing cyber-crooks to collect personal\r\ninformation from its victims as well as to surreptitiously perform online transactions.\r\nA new variant of this trojan, dubbed ZeusVM, is using images as a decoy to retrieve its configuration file, a vital\r\npiece for its proper operation.\r\nFrench security researcher Xylitol noted something strange in one of the malvertising campaigns I reported a\r\ncouple weeks ago.\r\nThe malware was retrieving a JPG image hosted on the same server as were other malware components.\r\nHe later sent me a message about how this new variant was using steganography, a technique that allows to\r\ndisguise data inside of an existing file without damaging it.\r\nOver the next couple weeks, we exchanged a few more emails as he had discovered other samples exhibiting the\r\nsame behaviour.\r\nCurious about this new trick, I decided to study one of those pictures more closely to better understand what was\r\ngoing on.\r\nHere is a beautiful picture of a sunset and you would never guess that code used to steal money is hiding within\r\nthis image:\r\nhttps://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/\r\nPage 1 of 6\n\nThere are various tools to analyze pictures but one easy way to go at it is to find an exact copy of it and then\r\ncompare it against the one you have.\r\nFor this, I did a Google image search and directly uploaded the suspicious JPG:\r\nhttps://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/\r\nPage 2 of 6\n\nOnce you have a match, you can select one with the same width and height. Of course, this technique might not\r\nalways work, but in this case the bad guys simply picked a picture that they had found on the web, thus making\r\nmy job easier.\r\nIf we put both pictures (the original and altered one) side by side and view them in bitmap mode, we can spot\r\nwhere extra data was added.\r\nUsing an hexadecimal viewer we can see where the code for the picture ends and where the hidden data starts\r\n(highlighted):\r\nhttps://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/\r\nPage 3 of 6\n\nSo here is our data, although at this point it is not human readable:\r\nTo make identification more difficult, the appended data is encrypted with Base64, RC4 and XOR. To decode it\r\nyou can reverse the file with a debugger such as OllyDbg and grab the decryption routine. Alternatively, you can\r\nuse the leaked Zeus source code to create your own module that will decompress the data blocks.\r\nThe decrypted configuration file shows which banks and financial institutions are targeted:\r\nhttps://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/\r\nPage 4 of 6\n\nOne of these is the Deutsche Bank (Germany) and this is what its login page looks like:\r\nWhen an infected user loads their banking website, the Trojan starts acting as man-in-the-middle and can literally\r\nempty out his bank account in total discretion. The bank cannot tell these are illegal money transfers since the\r\ncustomer was properly authenticated into their system.\r\nhttps://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/\r\nPage 5 of 6\n\nIt’s not the first time we see malware embedding data within innocuous files. Not too long ago, website security\r\ncompany Sucuri disclosed how an innocent looking PNG file contained instructions in its metadata.\r\nHiding malevolent code in such a way can successfully bypass signature-based Intrusion Detection Systems or\r\neven antivirus software. From a webmaster point of view, images (especially ones that can be viewed) would\r\nappear harmless.\r\nIt’s a reminder that a file should not be considered safe simply because it appears to be a legitimate picture, song\r\nor movie.\r\nInterestingly, steganography itself is a really old practice: in ancient Greece, secret instructions carved on wood\r\nwere covered with wax where an innocent message would fool any outsider.\r\nIn that regard, the bad guys aren’t really innovators per se, they are just applying old tricks to modern technology;\r\nthat’s where our job comes into play because solving puzzles is just as much fun as creating them.\r\n@jeromesegura\r\nSource: https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/\r\nhttps://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/"
	],
	"report_names": [
		"hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434423,
	"ts_updated_at": 1775826769,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/21e27c7e3f1b1a1e51697c29fc19dec90655dc63.pdf",
		"text": "https://archive.orkl.eu/21e27c7e3f1b1a1e51697c29fc19dec90655dc63.txt",
		"img": "https://archive.orkl.eu/21e27c7e3f1b1a1e51697c29fc19dec90655dc63.jpg"
	}
}