Zeus-Inspired Malware Targeting Cloud-Based Banking Transactions

Hackers have implemented a sophisticated malware variant to siphon large amounts of money from businesses conducting online transactions, according to a joint report by McAfee and Guardian Analytics.

The malware, named "High Roller" after the high-profile targets it goes after, was created using many of the same techniques used in the formation of the Zeus and SpyEye worms, including implementing "a familiar core of Web injects code." However, according to the report, titled "Dissecting Operation High Roller," what makes this particular worm unique is the amount of automation used during the thefts.

"In contrast, although there can be live intervention in the most high-value transactions, most of the High Roller process is completely automated, allowing repeated thefts once the system has been launched at a given bank or for a given Internet banking platform," according to the report. "For example, before it does the transfer, the code looks up account information from an 'active mule account' database so that the 'drop' information is always current."

According to David Marcus, McAfee's director of Advanced Research and Threat Intelligence, malware that uses automation in its operation would not be possible without the spread of cloud-based technology.

"The advanced methods discovered in Operation High Roller show fraudsters moving toward cloud-based servers with multifaceted automation in a global fraud campaign," wrote Marcus in a blog post.

After finding its desired target (accounts with an average of $300,000 to $600,000), the worm instigates transfers of over $100,000 to a dummy account. While an exact amount of how much this scam has stolen is unknown, McAfee estimates it's between $75 million and $2.5 billion.

Those individuals responsible for the malware have extensive experience on how the financial sector operates, along with considerable knowledge of cloud-based systems, according to McAfee.

While the report said this malware, operated by unknown individuals, has been in the wild for over a year, the majority of the targets have been in Europe. However, researchers said that it has recently moved overseas and is now increasing actions in Latin America and North America.

Banking institutions that have taken a more active role in security efforts are more protected from attack than those with a "slow and disjointed 'white hat' detection system," according to McAfee.

"As this report shows with the evolution from client-side to server-side attacks, fraudsters will evolve their model to move a majority of the fraud logic to the server," said the report.

McAfee and Guardian Analytics recommend that banking institutions apply a tested anomaly detection solution that can monitor for both manual and automated attacks since the attackers have been changing their tactics with this malware.

About the Author

Chris Paoli is the site producer for and


  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

  • Microsoft Shifts 2020 Events To Be Online Only

    Microsoft is shifting its big events this year to be online only, including Ignite 2020.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.