Newer versions of the ZeuS malware are doing much more than just stealing sensitive information from computers.
One variant of the malware uses compromised systems to check for availability of Instagram usernames, said researchers at RSA.
Once it lands on a computer, the malware downloads several additional components. The hashes of the threat change often to avoid detection by antivirus solutions, but the size of the file is always the same.
After the additional malicious components end up downloaded and installed, ZeuS performs search engine queries, most likely in an effort to promote malicious websites in search engine results.
Then, it starts checking for the availability of Instagram usernames via the social media network’s mobile API.
“For servers and virtual machines running Windows operating systems, Instagram API calls are pushed into Instagram by spoofing User-Agent strings in an attempt to disguise the traffic as a Smartphone running an Android operating system,” said RSA senior researcher “Fielder.”
The threat checks usernames comprised of a dictionary word followed by a series of four or more random characters.
Experts believe the malware is checking the availability of Instagram usernames in an effort to create an army of fake Instagram users that can later end up sold as followers to individuals or organizations that want to boost their popularity.
In addition to checking for usernames, the malware is also capable of automatically liking photos posted on other Instagram accounts.
“The latest Zbot variant appears to be upping its game with new features and functionality. Search engine optimization abuse and Instagram account abuse could just be the beginning,” “Fielder” said.