ESET researchers have discovered a malicious Apache module called Linux/Chapro.A, which injects malicious content into Web pages.
"The so-called Linux/Chapro.A variant has multiple features to camouflage its presence, and basically 'tricks' the unsuspecting Apache software into infecting a visitor's machine, according to ESET's findings," writes Dark Reading's Kelly Jackson Higgins. "The malware injects an iFrame onto the server that ultimately leads to the installation of Zeus variant Win32/Zbot. It also links to the so-called Sweet Orange exploit kit landing page, out of Lithuania."
"ESET says the version of Linux/Chapro.A it has observed targets banks in Europe and Russia, although the malware could be configured to attack U.S. banks," writes American Banker's Brian Browdie.
"The attack itself throws up a front end to harvest the PIN and CVV verification codes for credit and bank cards," writes CSO Online's John E. Dunn. "A secondary main task is to hide itself from admins for as long as possible, dropping a cookie and recording the IP address of the infected machine. That means the PC will not be infected over and over when returning, making it harder for researchers to detect where a given infection happened."
"The security firm adds that given the spread of the attack and its poor detection rates, it’s 'very hard for law enforcement agencies to investigate and mitigate,' hinting that the module’s creators may have collaborated with another group to popularize the exploit kit only to sell the infected computers to a group running a Win32/Zbot botnet," writes Threatpost's Christopher Brook.