{
	"id": "9dcf8dd3-8429-482b-ac74-f63acccc96be",
	"created_at": "2026-04-06T00:20:08.39051Z",
	"updated_at": "2026-04-10T13:12:27.35317Z",
	"deleted_at": null,
	"sha1_hash": "aa2804842a7fea084ceddd1e1146332ed750a934",
	"title": "Chthonic: a new modification of ZeuS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 973730,
	"plain_text": "Chthonic: a new modification of ZeuS\r\nBy Yury Namestnikov\r\nPublished: 2014-12-18 · Archived: 2026-04-05 17:44:55 UTC\r\nIn the fall of 2014, we discovered a new banking Trojan, which caught our attention for two reasons:\r\nFirst, it is interesting from the technical viewpoint, because it uses a new technique for loading modules.\r\nSecond, an analysis of its configuration files has shown that the malware targets a large number of online-banking systems: over 150 different banks and 20 payment systems in 15 countries. Banks in the UK,\r\nSpain, the US, Russia, Japan and Italy make up the majority of its potential targets.\r\nKaspersky Lab products detect the new banking malware as Trojan-Banker.Win32.Chthonic.\r\nThe Trojan is apparently an evolution of ZeusVM, although it has undergone a number of significant changes.\r\nChthonic uses the same encryptor as Andromeda bots, the same encryption scheme as Zeus AES and Zeus V2\r\nTrojans, and a virtual machine similar to that used in ZeusVM and KINS malware.\r\nInfection\r\nWe have seen several techniques used to infect victim machines with Trojan-Banker.Win32.Chthonic:\r\nsending emails containing exploits;\r\ndownloading the malware to victim machines using the Andromeda bot (Backdoor.Win32.Androm in\r\nKaspersky Lab classification).\r\nWhen sending messages containing an exploit, cybercriminals attached a specially crafted RTF document,\r\ndesigned to exploit the CVE-2014-1761 vulnerability in Microsoft Office products. The file has a .DOC extension\r\nto make it look less suspicious.\r\nhttps://securelist.com/chthonic-a-new-modification-of-zeus/68176/\r\nPage 1 of 10\n\nSample message with CVE-2014-1761 exploit\r\nIn the event of successful vulnerability exploitation, a downloader for the Trojan was downloaded to the victim\r\ncomputer. In the example above, the file is downloaded from a compromised site – hxxp://valtex-guma.com.ua/docs/tasklost.exe.\r\nThe Andromeda bot downloaded the downloader from hxxp://globalblinds.org/BATH/lider.exe.\r\nDownloading the Trojan\r\nOnce downloaded, the downloader injects its code into the msiexec.exe process. It seems that the downloader is\r\nbased on the Andromeda bot’s source code, although the two use different communication protocols.\r\nExample of common functionality of Andromeda and Chthonic downloaders\r\nDifferences in communication protocols used by Andromeda and Chthonic C\u0026C\r\nThe Chthonic downloader contains an encrypted configuration file (similar encryption using a virtual machine\r\nwas used in KINS and ZeusVM). The main data contained in the configuration file includes: a list of С\u0026С\r\nservers, a 16-byte key for RC4 encryption, UserAgent, botnet id.\r\nhttps://securelist.com/chthonic-a-new-modification-of-zeus/68176/\r\nPage 2 of 10\n\nThe main procedure of calling virtual machine functions\r\nAfter decrypting the configuration file, its individual parts are saved in a heap – in the following format:\r\nThis is done without passing pointers. The bot finds the necessary values by examining each heap element using\r\nthe RtlWalkHeap function and matching its initial 4 bytes to the relevant MAGIC VALUE.\r\nThe downloader puts together a system data package typical of ZeuS Trojans (local_ip, bot_id, botnet_id, os_info,\r\nlang_info, bot_uptime and some others) and encrypts it first using XorWithNextByte and then using RC4. Next,\r\nthe package is sent to one of the C\u0026C addresses specified in the configuration file.\r\nIn response, the malware receives an extended loader – a module in a format typical of ZeuS, i.e., not a standard\r\nPE file but a set of sections that are mapped to memory by the loader itself: executable code, relocation table,\r\npoint of entry, exported functions, import table.\r\nCode with section IDs matching the module structures\r\nIt should be noted that the imports section includes only API function hashes. The import table is set up using the\r\nStolen Bytes method, using a disassembler included in the loader for this purpose. Earlier, we saw a similar import\r\nsetup in Andromeda.\r\nhttps://securelist.com/chthonic-a-new-modification-of-zeus/68176/\r\nPage 3 of 10\n\nFragment of the import setup function in Andromeda and Chthonic\r\nHeader of a structure with module\r\nThe extended loader also contains a configuration file encrypted using the virtual machine. It loads the Trojan’s\r\nmain module, which in turn downloads all the other modules. However, the extended loader itself uses AES for\r\nencryption, and some sections are packed using UCL. The main module loads additional modules and sets up\r\nimport tables in very much the same way as the original Chthonic downloader, i.e. this ZeuS variant has absorbed\r\npart of the Andromeda functionality.\r\nThe entire sequence in which the malware loads, including the modules that are described below, is as follows:\r\nhttps://securelist.com/chthonic-a-new-modification-of-zeus/68176/\r\nPage 4 of 10\n\nModules\r\nTrojan-Banker.Win32.Chthonic has a modular structure. To date, we have discovered the following modules:\r\nName Description Has a 64bit version\r\nmain Main module (v4.6.15.0 – v4.7.0.0) Yes\r\ninfo Collects system information Yes\r\npony Module that steals saved passwords No\r\nklog Keylogger Yes\r\nhttp Web injection and formgrabber module Yes\r\nvnc Remote access Yes\r\nsocks Proxy server Yes\r\ncam_recorder Recording video from the web camera Yes\r\nThe impressive set of functions enables the malware to steal online banking credentials using a variety of\r\ntechniques. In addition, VNC and cam recorder modules enable attackers to connect to the infected computer\r\nremotely and use it to carry out transactions, as well as recording video and sound if the computer has a webcam\r\nand microphone.\r\nInjections\r\nhttps://securelist.com/chthonic-a-new-modification-of-zeus/68176/\r\nPage 5 of 10\n\nWeb injections are Chthonic’s main weapon: they enable the Trojan to insert its own code and images into the\r\ncode of pages loaded by the browser. This enables the attackers to obtain the victim’s phone number, one-time\r\npasswords and PINs, in addition to the login and password entered by the victim.\r\nFor example, for one of the Japanese banks the Trojan hides the bank’s warnings and injects a script that enables\r\nthe attackers to carry out various transactions using the victim’s account:\r\nOnline banking page screenshots before and after the injection\r\nInteresting functions in injected script\r\nThe script can also display various fake windows in order to obtain the information needed by the attackers.\r\nBelow is an example of a window which displays a warning of non-existent identification problems and prompts\r\nthe user to enter TAN:\r\nhttps://securelist.com/chthonic-a-new-modification-of-zeus/68176/\r\nPage 6 of 10\n\nFake TAN entry window\r\nOur analysis of attacks against customers of Russian banks has uncovered an unusual web injection scenario.\r\nWhen opening an online banking web page in the browser, the entire contents of the page is spoofed, not just parts\r\nof it as in an ordinary attack. From the technical viewpoint, the Trojan creates an iframe with a phishing copy of\r\nthe website that has the same size as the original window.\r\nBelow is a fragment of injected code, which replaces everything between title and body closing tags with the\r\nfollowing text:\r\nAnd here is the script itself:\r\nhttps://securelist.com/chthonic-a-new-modification-of-zeus/68176/\r\nPage 7 of 10\n\nAdditionally, the bot receives a command to establish a backconnect connection if the injection is successful:\r\nCoverage\r\nThere are several botnets with different configuration files. Overall, the botnets we are aware of target online\r\nbanking systems of over 150 different banks and 20 payment systems in 15 countries. The cybercriminals seem\r\nmost interested in banks in the UK, Spain, the US, Russia, Japan and Italy.\r\nhttps://securelist.com/chthonic-a-new-modification-of-zeus/68176/\r\nPage 8 of 10\n\nChtonic target distribution by country\r\nIt is worth noting that, in spite of the large number of targets on the list, many code fragments used by the Trojan\r\nto perform web injections can no longer be used, because banks have changed the structure of their pages and, in\r\nsome cases, the domains as well. It should also be noted that we saw some of these fragments in other bots’ config\r\nfiles (e.g., Zeus V2) a few years back.\r\nConclusion\r\nWe can see that the ZeuS Trojan is still actively evolving and its new implementations take advantage of cutting-edge techniques developed by malware writers. This is significantly helped by the ZeuS source code having been\r\nleaked. As a result, it has become a kind of framework for malware writers, which can be used by anyone and can\r\neasily be adapted to cybercriminals’ new needs. The new Trojan – Chthonic – is the next stage in the evolution of\r\nZeuS: it uses Zeus AES encryption, a virtual machine similar to that used by ZeusVM and KINS, and the\r\nAndromeda downloader.\r\nWhat all of this means is that we will undoubtedly see new variants of ZeuS in the future.\r\nA few md5:\r\n12b6717d2b16e24c5bd3c5f55e59528c\r\n148563b1ca625bbdbb60673db2edb74a\r\n6db7ecc5c90c90b6077d5aef59435e02\r\n5a1b8c82479d003aa37dd7b1dd877493\r\n2ab73f2d1966cd5820512fbe86986618\r\nhttps://securelist.com/chthonic-a-new-modification-of-zeus/68176/\r\nPage 9 of 10\n\n329d62ee33bec5c17c2eb5e701b28639\r\n615e46c2ff5f81a11e73794efee96b38\r\n77b42fb633369de146785c83270bb289\r\n78575db9f70374f4bf2f5a401f70d8ac\r\n97d010a31ba0ddc0febbd87190dc6078\r\nb670dceef9bc29b49f7415c31ffb776a\r\nbafcf2476bea39b338abfb524c451836\r\nc15d1caccab5462e090555bcbec58bde\r\nceb9d5c20280579f316141569d2335ca\r\nd0c017fef12095c45fe01b7773a48d13\r\nd438a17c15ce6cec4b60d25dbc5421cd\r\nSource: https://securelist.com/chthonic-a-new-modification-of-zeus/68176/\r\nhttps://securelist.com/chthonic-a-new-modification-of-zeus/68176/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/chthonic-a-new-modification-of-zeus/68176/"
	],
	"report_names": [
		"68176"
	],
	"threat_actors": [],
	"ts_created_at": 1775434808,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aa2804842a7fea084ceddd1e1146332ed750a934.pdf",
		"text": "https://archive.orkl.eu/aa2804842a7fea084ceddd1e1146332ed750a934.txt",
		"img": "https://archive.orkl.eu/aa2804842a7fea084ceddd1e1146332ed750a934.jpg"
	}
}