This new version, which Trend Micro detects as TSPY_ZBOT.SMQH, spread around late September through spam that claimed to be from the Australian Taxation Office (ATO). The spammed messages contained a malicious link that when clicked directed users to a malicious website that served the BlackHole Exploit Kit. The exploit kit, in turn, downloads a variant of the new ZeuS version.
As we can see, unlike ZeuS 220.127.116.11, which uses Advanced Encryption Standard (AES), the decryption algorithm did not change much compared with the modified ZeuS 2, which uses RC4.
As I mentioned earlier, like LICAT and ZeuS 18.104.22.168, this new variant also seems to be crafted by a private professional gang, probably the same ones who created LICAT or who may be affiliated with them at the very least. In fact, the configuration file for TSPY_ZBOT.SMQH has the same format as that of the configuration file of LICAT.