9 Banking Trojans & Trends Costing Businesses in 2017
New Trojans appeared, old ones resurfaced, and delivery methods evolved as cybercriminals set their sights on financial data.
Banking Trojans have been a recurring theme in security news this year as criminals find new ways to steal money and data from their victims.
"We have started to see the re-emergence of banker Trojans," says Bogdan Botezatu, senior e-threat analyst at Bitdefender, noting that banking Trojans had their heyday between 2012 and 2013. "But we could have sworn the trend was otherwise."
It's interesting to see banking Trojans resurface because of the resources they need to work. Unlike comparatively simple attacks like ransomware, banking malware requires several players and is difficult to launch and monetize. Botezatu suggests the rise could be attributed to both code leaks of other banking Trojans and an oversaturation of the ransomware market.
Many of the banking Trojans we've seen this year are reminiscent of those we've seen in the past. Others are old threats being distributed in new ways, targeting new victims.
Terdot, a banking Trojan first seen in October 2016, takes its inspiration from source code of the Zeus banking Trojan following Zeus' source code leak in 2011. IcedID, another new banking Trojan that emerged in September, shares traits with Gozi, Zeus, and Dridex.
"Overall, this is similar to other banking Trojans, but that's also where I see the problem," says Limor Kessem, executive security advisor for IBM Security, of IcedID. It's rare to see banking Trojans that don't share qualities with existing variants. Attackers are copying one another and adding new features like anti-evasion techniques to further advance the malware.
Here, we look back on the new and evolved ways banking Trojans targeted victims in 2017. Any threats we missed that should've made the list? Which do you think will stick around next year? Feel free to leave your thoughts in the comments and read on for more.
Researchers at Bitdefender first spotted the Terdot banking Trojan in October 2016. The malware, which derives inspiration from the 2011 source code leak of the Zeus banking Trojan, goes beyond the usual capabilities of banking malware and could be used for cyberespionage.
It has all the main functionalities of a banking Trojan: Terdot arrives via malicious email with a button disguised as a PDF link. When clicked, it infects the machine and creates a Web proxy to modify transactions. Any data victims send to a bank is intercepted and modified in real time, and the malware intercepts and modifies the bank's response.
Terdot can also be used to view and modify traffic on email and social media platforms, collect victims' financial information, steal credentials, inject HTML code on visited Web pages, and download and execute files. Because it lives in the browser, it has unrestricted access to whatever is posted using that browser. It can monitor activity and inject spyware.
Detection and removal is tough, says Botezatu. "It has modules that ensure persistence. It injects itself into every process on that machine, and these processes act like a watchdog to one another."
In November 2017, researchers at IBM X-Force reported a new banking Trojan called IcedID, an advanced Trojan first seen in September. Its targets include banks, payment card providers, mobile service providers, payroll, Web mail, ecommerce sites in the US and Canada, and two major banks in the United Kingdom.
IcedID is distributed through the Emotet Trojan, which is built to amass and maintain botnets. Emotet arrives via spam email and is usually hidden in productivity files packed with malicious macros. Once IcedID arrives, it can propagate over a target network, which experts say is a sign it's meant to target large businesses. Network propagation is common among nation-state attackers but rare for banking Trojans.
Attack methods include both Web injection attacks and advanced redirection attacks, report IBM researchers. It deploys on machines running various versions of Windows.
"The sophistication of the code is modular, and it has different details reminiscent of other organized crime groups," says Limor Kessem, executive security advisor for IBM Security, who says this is "not an amateur group."
Silence was discovered by Kaspersky Lab researchers in September 2017. A dangerous and sophisticated Trojan, it uses techniques similar to those used by the Carbanak hacker group. The Silence Trojan is deployed after the attacker, a group also dubbed Silence, has spent a long period of time laying silent in the victim organization. Its goal is not to target banks' customers, but the banks themselves, for financial gain.
Financial organizations are hit when Silence arrives as a malicious attachment in spearphishing emails. When the victim clicks, it begins a series of downloads, executes the dropper, communicates with the C&C server, and downloads and executes malicious modules to monitor victims through screen recording, data upload, credential theft, and remote control access. The "monitoring and control" module records victims by taking screenshots of their monitor.
Silence's monitoring capabilities are similar to those of the Carbanak group, an Eastern European cybercrime organization that also used spearphishing to target financial institutions. Like Carbanak, Silence persists on a victim network for long enough to collect sufficient information for monetary gain. Most of Silence's victims have been Russian banks, though it has also targeted businesses in Malaysia and Armenia.
Trend Micro researchers first detected banking Trojan Emotet back in 2014. Years later, in September 2017, they discovered increased activity coming from new variants of Emotet with the potential to release different types of payloads onto target systems. The motivation behind Emotet, information theft, remains the same but experts have a few reasons to explain why it resurfaced.
The first is attackers are hitting new regions and industries: earlier versions of Emotet targeted financial organizations, but new data indicates the malware is now hitting companies across industries including healthcare, food and beverage, and manufacturing. Emotet may have also resurfaced because new variants are using several ways to spread. The primary propagation method uses a spam botnet, but Emotet can also spread using a network propagation module that uses a dictionary attack to brute-force into an account domain.
Emotet could be relying on the "element of surprise," researchers report. Since it had been inactive for a period of time, Emotet's targets are being caught off-guard. As a result, new attacks and capabilities are more effective. The malware uses email spamming and lateral movement, so it has a greater chance of infecting enterprises and stealing sensitive data.
In July 2017, researchers at Flashpoint discovered the Necurs botnet was delivering the Trickbot banking Trojan to financial organizations in the US. Trickbot, considered the successor to the Dyre banking Trojan, specifically targets businesses in finance and has been behind man-in-the-browser attacks since 2016. However, until this point, it had only attacked those outside the United States.
The new Trickbot spam campaign, dubbed "mac1," has an expanded webinject configuration to hit customers in the US and abroad. It was developed to target 50 additional banks and had fueled at least three different spam waves at the time it was reported. Later in July, a new version of Trickbot was discovered using a worm propagation module, inspired by the WannaCry ransomware attack. After infecting a system, the Trojan would spread locally on the network using Server Message Block (SMB) shares.
A main concern with Trickbot is account takeover and fraud, which experts say may increase among US financial institutions as the malware continues to spread. Necurs emerged in 2012 and has become known for propagating spam campaigns. Researchers at Flashpoint say the use of Necurs is a sign of the attackers' sophistication and companies outside finance could also be at risk.
Attackers this year began to "poison" Google search results to deliver the Zeus Panda banking Trojan. By using Search Engine Optimization (SEO), they could populate search results with malicious links and specifically target people who searched for certain keywords.
In this campaign, hackers used compromised Web servers to make sure malicious links would prominently appear in searches for "Nordea Sweden bank account number" and "sbi bank recurring deposit form." People who searched for these terms would see multiple poisoned links on the first results page. Attackers used the links to distribute Zeus Panda via a compromised Word document, which contains malicious macros that execute when downloaded.
In this case, researchers found a new version of the Zeus Panda Trojan, which steals sensitive information like financial data. This iteration evades detection with anti-analysis techniques and prolonged execution. It checks the system's keyboard to verify the language used and checks to see whether it's running within a hypervisor or sandboxed environment.
Cybercriminals began employing a new framework to deliver the Blackmoon banking Trojan to users in South Korea, researchers at Fidelis Cybersecurity found. The new campaign, reported in May, was another sign attackers are working to evade anti-malware tools. While South Koreans were at risk in this case, experts warn the framework could be adapted to target other nations.
This framework uses three separate downloader pieces, which work together to install the malware. One makes a request to a hardcoded URL; the other two have similar instructions for downloading and executing other software components. This tactic makes it easy to evade detection and alter one component without affecting the other two.
Blackmoon, first discovered in 2014, is a banking Trojan designed to steal credentials for online banking accounts and other financial accounts; for example, a retirement savings account. It's typically spread with an exploit kit, malicious websites, or online advertisements.
A new Android Trojan family, reported in November, uses four payload stages -- double the usual two -- in its attack. ESET researchers notified Google when they found the Android/TrojanDropper.Agent.BKY family in at least eight apps on Google Play.
The first stage calls for the malicious app to execute the second-stage payload, which contains a hardcoded URL that downloads the third payload. Users are asked to install an app disguised as a Flash or Android update, which executes the fourth payload, a mobile banking Trojan, once permissions are granted.
The additional stages help attackers hide the final payload. Malicious apps take users to a fake login form, where they steal credentials and credit card details. ESET found the samples within the Android/TrojanDropper.Agent.BKY were primarily banking Trojans or spyware; however, the chosen downloader could be anything the attacker wants.
New analysis of the Boleto Trojan found a variant that differs from typical banking malware like Trickbot or Zeus, which use phishing to send victims to a fake login screen so they can steal data. This version of Boleto uses malicious overlays, which are triggered after a victim signs into their legitimate bank account. The Trojan was first discovered by researchers at Cisco Talos and later unpacked by Check Point Research.
Once on a victim machine, the malware waits until someone tries to log into online banking. It then sends a text message to the attacker and puts an overlay screen on the victim's browser. The Trojan, which matches the browser type and bank information, puts a long message on the screen. While the victim reads it, the attacker goes underneath the overlay and runs transactions from the account, which is visible behind the distracting message.
At the time it was reported, this was limited to South American victims but could potentially affect more people if adopted by attackers with different targets.
New analysis of the Boleto Trojan found a variant that differs from typical banking malware like Trickbot or Zeus, which use phishing to send victims to a fake login screen so they can steal data. This version of Boleto uses malicious overlays, which are triggered after a victim signs into their legitimate bank account. The Trojan was first discovered by researchers at Cisco Talos and later unpacked by Check Point Research.
Once on a victim machine, the malware waits until someone tries to log into online banking. It then sends a text message to the attacker and puts an overlay screen on the victim's browser. The Trojan, which matches the browser type and bank information, puts a long message on the screen. While the victim reads it, the attacker goes underneath the overlay and runs transactions from the account, which is visible behind the distracting message.
At the time it was reported, this was limited to South American victims but could potentially affect more people if adopted by attackers with different targets.
Banking Trojans have been a recurring theme in security news this year as criminals find new ways to steal money and data from their victims.
"We have started to see the re-emergence of banker Trojans," says Bogdan Botezatu, senior e-threat analyst at Bitdefender, noting that banking Trojans had their heyday between 2012 and 2013. "But we could have sworn the trend was otherwise."
It's interesting to see banking Trojans resurface because of the resources they need to work. Unlike comparatively simple attacks like ransomware, banking malware requires several players and is difficult to launch and monetize. Botezatu suggests the rise could be attributed to both code leaks of other banking Trojans and an oversaturation of the ransomware market.
Many of the banking Trojans we've seen this year are reminiscent of those we've seen in the past. Others are old threats being distributed in new ways, targeting new victims.
Terdot, a banking Trojan first seen in October 2016, takes its inspiration from source code of the Zeus banking Trojan following Zeus' source code leak in 2011. IcedID, another new banking Trojan that emerged in September, shares traits with Gozi, Zeus, and Dridex.
"Overall, this is similar to other banking Trojans, but that's also where I see the problem," says Limor Kessem, executive security advisor for IBM Security, of IcedID. It's rare to see banking Trojans that don't share qualities with existing variants. Attackers are copying one another and adding new features like anti-evasion techniques to further advance the malware.
Here, we look back on the new and evolved ways banking Trojans targeted victims in 2017. Any threats we missed that should've made the list? Which do you think will stick around next year? Feel free to leave your thoughts in the comments and read on for more.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024