Hackers are issuing commands to machines infected with the Zbot malware using popular images of sunsets and cats, according to security firm Trend Micro.
Trend Micro threat response engineer Jennifer Gumban reported the hack campaign in a blog post, warning it is targeting several European bank customers. "We encountered an image of a sunset, but other security researchers reported encountering a cat image," read the post.
"Using steganography, a list of banks and financial institutions that will be monitored is hidden inside the image. The list includes institutions from across the globe, particularly in Europe and the Middle East."
The images can spread in a variety of ways. They can be shared as standalone malicious files that send out commands to infected machines, or inserted into web pages and set to automatically target visitors to the site.
Trend Micro vice president of security research, Rik Ferguson told V3 by hiding the malware's configuration files in this way, the hackers could bypass many traditional security features.
"There are a couple of good reasons for delivering them in this format; first the file the itself is often excluded from scanning by traditional security solutions, obviously to the naked eye they look entirely innocent and also to network monitoring software," he said.
Gumban said the campaign is atypical as it targets systems infected with the financially focused Zbot malware.
"This particular attack has another unusual routine: it downloads onto the system other malware, namely TROJ_FOIDAN.AX. This Trojan removes the X-Frames-Options HTTP header from sites the user visits, allowing websites to be displayed inside a frame," the post continued.
"Zbot has not traditionally been linked to clickjacking in the past. However, it has been linked to other threats, such as ransomware and file infectors."
Zbot is an old version of the notorious Zeus Trojan and is designed to steal financial information from its victims. The Zbot malware was thought to be close to extinct as criminals had upgraded their campaigns to run using newer versions of Zeus until May 2013, when Trend Micro researchers detected a resurgence in its use.
Ferguson said the discovery of the new Zbot attack is troubling as it shows common cyber criminals are beginning learn from more advanced hack campaigns.
"The most concerning aspect is that this is a real illustration that targeted attack expertise is already ‘filtering down' and becoming a commoditised playbook for traditional cybercrime."
The Zbot campaign comes during a turbulent time within the cybercrime community. Researchers from security firm FireEye reported that hackers are dropping financially focused malware, such as Zbot, in favour of more dangerous remote access Trojans (RATs) in February.