Malicious Malware Uses Photos of Sunsets and Cats to Steal Banking Credentials


It’s a sad day for the Internet… according to Trend Micro’s security analysts, it’s been discovered that photographs of both sunsets and — even more heartbreaking — cats being shared across the web contain malware capable of getting into your bank accounts.

Known as “ZBOT,” this particular malware downloads a JPEG file to the affected computer without the user’s knowledge. While it’s unlikely anyone would come across the file (due to it being hidden deep inside your file system), even if they were to somehow do so, it would look like nothing more than one of your photos gone astray.

From there, using steganography — a form of hiding a message or file within another file (such as a JPEG in this case) — the malware keeps an eye on its database of banks while waiting for you to visit on the web. Once you’ve managed to visit the site, the malware makes use of a particular framework that allows it to more easily bypass security systems you may have installed on your computer and steal information such as login credentials.

Not one of the offending images. Click here to see the malicious cat photo.

Not one of the offending images. Click here to see the malicious cat photo.

Currently, they’ve been seen in the form of both rainbow images, as well as images containing a cat laying on a pile of money, although the particular cat image has just about disappeared now that people know it can cause harm.

Christopher Budd, the Global Threat Communications Manager for Trend Micro, shares a solid piece of advice if you want to steer clear of this problem: “If you receive an email with a colorful rainbow or cute kitty, don’t open it unless it is from a known party.”

We may be a bit less prone to fall for this, since we keep better track of the photos on our computer than most, but if your parents or grandparents are anything like mine, you might want to tell granny not to click on that photo of Grumpy Cat she received in an email from a stranger…

(via Trend Micro via BoingBoing)

Image credits: Tortoiseshell she-cat by Toya.

  • pixeljammer

    Doesn’t your computer already have to be infected with ZBOT in order for the “instructions” embedded in the JPEG file to do anything?
    And isn’t this specific to machines running Windows?

  • Just sayin’

    Recommend you check TrendMicro’s website for further information, as they originally provided the information that PetaPixel shared.

  • PTBridgeport

    Cats are evil…..

  • Kynikos

    If we ever needed an excuse to not have any more goddamn cat photos cluttering the internet, here it is.

  • Renato Murakami

    TrendMicro’s article does a very bad job on explaining this and is very unclear. It’s the sort of thing that creates uneeded paranoia and theories about an undetectable malware.

    From what I could get, which is bound to be distorted by headlines and re-blogging, the only thing the images quoted have in them are directions – in particular, a list with banks and financial institutions. Nothing really dangerous.

    It only becomes dangerous if you also get another malware (a trojan horse) called “TROJ_FOIDAN.AX”. When you have both (the image and the trojan) in your system, they then act together to monitor and possibly get account numbers and passwords.

    The list of banks and financial institutions in the images analysed seems to mostly contain stuff from the Middle East and Europe. That doesn’t mean other images yet to be found have lists of other parts of the world though. So the advice should be to be careful with ANY images of suspicious origins.

    But no, simply opening an image won’t be the source of attack alone. Trend Micro doesn’t point out on the original post what’s the source of infection for the trojan, but I’m guessing you need to download and execute a file for it.

    More details about it here:

  • Mmmmichael

    Oh, great: now with steganography, dinosaur porn is no longer safe to download. :-(

  • Matt

    Seems like a proof of concept. The malware could have easily contained the list of banks, that is not really an issue. What would be a good use is to hide a LOT of malware within photos, would give the hackers a larger space to program in wiith limited opportunities to be detected. It would be much harder to find that malware in a computer than if it lived in a traditional executable file. However, it would still need a trigger program or action. Such as a click or an automatic action. But, at least I do not know of an avenue of activation in the jpg decoders. That would be a huge issue.

  • Alan Klughammer

    No more real info on the TrendMicro site (a Windows Antivirus Company), although the comments label the article as FUD.
    I remember many years ago (maybe back in the XP days) malicious code was embedded in jpgs because microsoft would try to execute all files. I have since moved away from Microsoft, but I understand that they have much improved security and jpgs are not a threat anymore. It seems that your computer has to be already infected for these jpgs to cause issues.

  • Patrick Ahles

    Malicious malware?

    (yes, I know I’m late posting a comment…)