The practice has been also spotted by Malwarebytes researchers in mid-February. Analyst Jerome Segura has then analyzed the malicious sunset photos and compared it with an unmodified one he found on the Internet.
"If we put both pictures (the original and altered one) side by side and view them in bitmap mode, we can spot where extra data was added," he pointed out.
"The malware was retrieving a JPG image hosted on the same server as were other malware components," he noted.
Once decrypted, the hidden data in the picture reveals the file's true purpose, as it contains the list and URLs of banks and financial institutions that should be targeted.
"Hiding malevolent code in such a way can successfully bypass signature-based Intrusion Detection Systems or even antivirus software. From a webmaster point of view, images (especially ones that can be viewed) would appear harmless," Segura noted. "It’s a reminder that a file should not be considered safe simply because it appears to be a legitimate picture, song or movie."
This particular Zeus variant does what this type of malware usually does: it allows crooks to harvest the users' banking and other account credentials. But it also downloads another piece of malware that removes the X-Frames-Options HTTP header from sites the user visits, allowing websites to be displayed inside a frame.
"Webmasters use this setting to ensure their sites are not used in clickjacking attacks," Trend Micro researchers pointed out.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.