Zeus-Inspired Malware Targeting Cloud-Based Banking Transactions

Hackers have implemented a sophisticated malware variant to siphon large amounts of money from businesses conducting online transactions, according to a joint report by McAfee and Guardian Analytics.

The malware, named "High Roller" after the high-profile targets it goes after, was created using many of the same techniques used in the formation of the Zeus and SpyEye worms, including implementing "a familiar core of Web injects code." However, according to the report, titled "Dissecting Operation High Roller," what makes this particular worm unique is the amount of automation used during the thefts.

"In contrast, although there can be live intervention in the most high-value transactions, most of the High Roller process is completely automated, allowing repeated thefts once the system has been launched at a given bank or for a given Internet banking platform," according to the report. "For example, before it does the transfer, the code looks up account information from an 'active mule account' database so that the 'drop' information is always current."

According to David Marcus, McAfee's director of Advanced Research and Threat Intelligence, malware that uses automation in its operation would not be possible without the spread of cloud-based technology.

"The advanced methods discovered in Operation High Roller show fraudsters moving toward cloud-based servers with multifaceted automation in a global fraud campaign," wrote Marcus in a blog post.

After finding its desired target (accounts with an average of $300,000 to $600,000), the worm instigates transfers of over $100,000 to a dummy account. While an exact amount of how much this scam has stolen is unknown, McAfee estimates it's between $75 million and $2.5 billion.

Those individuals responsible for the malware have extensive experience on how the financial sector operates, along with considerable knowledge of cloud-based systems, according to McAfee.

While the report said this malware, operated by unknown individuals, has been in the wild for over a year, the majority of the targets have been in Europe. However, researchers said that it has recently moved overseas and is now increasing actions in Latin America and North America.

Banking institutions that have taken a more active role in security efforts are more protected from attack than those with a "slow and disjointed 'white hat' detection system," according to McAfee.

"As this report shows with the evolution from client-side to server-side attacks, fraudsters will evolve their model to move a majority of the fraud logic to the server," said the report.

McAfee and Guardian Analytics recommend that banking institutions apply a tested anomaly detection solution that can monitor for both manual and automated attacks since the attackers have been changing their tactics with this malware.

About the Author

Chris Paoli is the site producer for and


  • Sign

    2018 Microsoft Predictions Revisited

    From guessing the fate of Windows 10 S to predicting Microsoft's next big move with Linux, Brien's predictions from a year ago were on the mark more than they weren't.

  • Microsoft Recaps Delivery Optimization Bandwidth Controls for Organizations

    Microsoft expects organizations using its Delivery Optimization peer-to-peer update scheme will optimally see 60 percent to 70 percent improvements in terms of network bandwidth use.

  • Getting a Handle on Hyper-V Virtual NICs

    Hyper-V usually makes it easy to configure virtual network adapters within VMs. That is, until you need to create a VM containing multiple virtual NICs.

  • Microsoft Highlights Emerging Kubernetes Scalability and Governance Efforts

    Microsoft this week highlighted some emerging efforts to improve both the scalability and governance of the open source Kubernetes container orchestration service.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.