- Počítačové viry -
Bankovní viry Rodiny bankovních virů
Název |
Popis |
Gozi | Also known as Ursnif, Gozi is one of the oldest banking trojans. To put it simply, Gozi tricks users into completing financial transactions in accounts that aren’t theirs. It’s been around since 2007 and, as one of the original banking trojans, has caused millions of dollars in damages. In 2010, the Gozi source code was leaked, which lead to the creation of several different versions of the malware. It was leaked for a second time in 2015, which led to further modularization and development of new versions of the malware. In 2016, Latvian hacker Deniss Calovskis was sentenced to time served (21 months) for developing the original Gozi code.Arresting a key developer often stops banking trojans, but it appeared to have little affect with Gozi. After more than ten years, Gozi continues to be one of the most sophisticated and constantly evolving malwares. When first developed, Gozi used rootkit components to hide its processes. More recently it has added both client-side and server-side evasion techniques and has continued to evolve. Recently, Gozi and Tinba have been connected through their use of shared web injection techniques. Although the scope has expanded for many banking trojans, Gozi continues to target financial institutions. As of March 2019, Gozi has been connected to DanaBot for targeting some of the same Italian banks. Gozi shows no signs of stopping and is considered one of the most dangerous pieces of banking trojan malware. |
Tinba | Also known as Tiny Banking Trojan, Tinba was first discovered in the wild in 2012 when it was found to have infected a number of computers in Turkey. It is the smallest banking trojan known, consisting only of a 20 KB file. It typically runs geo-specific campaigns, though varies its regions. Tinba’s code was first leaked in 2014 and proved to be a useful resource for malware researchers to analyze. Tinba has also been linked to other banking trojans in the past. It is allegedly a highly modified version of Zeus, as it has a similar architecture. In 2016, F5 labs reported that Tinba and Gozi used almost identical web injects. They seem to have been bought from the same webinject workshop. Tinba has not been in the news recently, but it would be naive to think that it is gone for good. |
Vawtrak | Also known as Neverquest or Snifula, Vawtrak is a descendent of the Gozi banking trojan. First discovered in 2013, Vawtrak was active in geographically targeted campaigns and employs a Cybercrime-as-a-Service business model. This is not unique to Vawtrak, as other trojans, including Gameover Zeus, also use this business model. Instead of selling the malware outright, Vawtrak’s authors offer malware delivery based on a service agreement. For example: A Number of Passwords stolen from X number of Users, using bank Y in country Z.28 There have been a few technical papers detailing the analysis of the Vawtrak malware and its evolution over the years. In January 2017, Vawtrak’s alleged author, Russian national Stanislav Vitaliyevich Lisov, who went by the moniker “Black” and “Blackf,” was arrested and as of February 2019, pled guilty to creating, running, and infecting users with the Vawtrak banking trojan.30 Vawtrak’s activity declined after Lisov’s arrest, however, another banking trojan, Bokbot (also known as IcedID) has been connected to the group behind Vawtrak. |
Emotet | This malware was first identified by security researchers in 2014 as a simple banking trojan. Later versions of the malware evolved and included the addition of malware delivery services, including the ability to install other banking trojans.In August 2017, Emotet was connected to another banking trojan, Dridex—Emotet “dropped” Dridex as an additional payload. The technique of using one piece of malware to drop another is not new, but it is significant to see banking trojans “working together.” As of September 2018, Emotet was utilizing the EternalBlue Windows vulnerability (first seen with the WannaCry ransomware) in order to propagate.This powerful vulnerability has had a patch out, however, there are still devices out there that haven’t yet patched against the SMB (file sharing) vulnerability. Emotet is not a continually running malware; it tends to run through geographically centered campaigns, yet its techniques are constantly evolving and it continues to be dangerous. |
Kronos | Kronos is known in Greek mythology as the “Father of Zeus.” Kronos malware was first discovered in a Russian underground forum in 2014 after the takedown of Gameover Zeus. It was more expensive than many other banking trojans, costing $7,000 to buy outright or $1,000 for a one-week trial. Many other banking trojans could be bought from underground forums for hundreds, not thousands, of dollars. Kronos marketed itself as one of the most sophisticated trojans, and many malware researchers commented that its author(s) clearly had prior knowledge of malware techniques.The code is well obfuscated using many different techniques. Security researchers from Kaspersky Lab postulated that Kronos may be a spin-off of the Carberp banking trojan, The code is well obfuscated using many different techniques. Security researchers from Kaspersky Lab postulated that Kronos may be a spin-off of the Carberp banking trojan, and IBM analysts also connected Kronos to Zeus through its compatible HTML injection mechanism.In August 2017, Marcus Hutchens, the security researcher who single handedly put a halt to the WannaCry ransomware outbreak, was indicted and charged with writing with intent to distribute Kronos malware. In April 2019, Hutchins pled guilty to two of the ten charges laid against him. As of July 26th 2019, Hutchins was sentenced to time served with supervised release. Unlike many other banking trojans, Kronos did not die out with the arrest of a supposed key author. In July 2018, Kronos reemerged with three distinct campaigns targeting Germany, Japan, and Poland. There is also some circumstantial and speculative evidence in the malware research community suggesting that Kronos has been rebranded and is being sold as the Osiris banking trojan.Kronos is still active and continues to be a threat. |
Dridex | First seen in 2011, Dridex has had a longer evolutionary journey than most malwares and has urvived through the years by obfuscating its main command-and-control (C&C) servers through proxies. Dridex’s first appearances in September 2011 came under the name Cidex. It caused destruction to banks until June 2014 when Dridex version 1.1 appeared in the wild. Dridex emerged almost exactly one month after Operation Tovar’s takedown of the Gameover ZeuS botnet, which also marked the end of Cidex attacks.Dridex and Gameover ZeuS have many similarities in their code, and attribution for Dridex47 is tied to a Russian-speaking gang that may be a spinoff from the “Business Club,” an organized cybercrime gang that developed the Gameover ZeuS botnet. A number of arrests were made in September 2015, but that did little to stop Dridex. In February 2016, F5 labs published reports on the Dridex Botnet 220 campaign noting the evolution of the malware, and then in April 2016 noted that Dridex shifted focus from UK banks to US banks. In December 2018, researchers found connections between Dridex, Emotet, and Ursnif/Gozi malware.48 It continues to evolve technically and remains an active threat |
DanaBot | One of the newer banking trojans, DanaBot first emerged in mid-2018,49 targeting Australian users. Since it first appeared in the wild, DanaBot has been seen targeting European banks and email providers. Like many other banking trojans, DanaBot has recently shifted focus away from exclusively targeting financial services institutions for a number of reasons. Since users often share passwords across platforms, compromising credentials is still useful for many cybercriminals. F5 Labs also published a notable link between DanaBot, Gozi, and Tinba web injection patterns, supporting the idea that a great deal of fraud business logic is now implemented in JavaScript and sold to malware authors. |
Ramnit | This unique banking trojan started out in 2010 as a worm and, sometime after the Zeus source code leak, acquired parts of the Zeus code and became a banking trojan.Ramnit has continued to evolve in terms of sophistication, technique, and scope as a botnet since becoming a banking trojan. It remains active despite a shutdown of 300 command-and-control servers in February 2015.51 After this setback, Ramnit reappeared in late 2015 and again in mid 2016.52 In early 2017, F5 labs published a technical article breaking down Ramnit’s new disappearing configuration file. Like many other banking trojans, Ramnit has broadened its scope in recent years. Over the 2017 holiday season, Ramnit’s target list was 64% eCommerce retailers in addition to financial services institutions. In 2018, Ramnit continued to work quickly, infecting over 100,000 machines in two months.Ramnit continues to be distributed via exploit kit and still runs active campaigns today, most recently returning back to target Italian financial institutions. |
Panda | Yet another Zeus variant, Panda was first discovered in Brazil in 2016, around the time of the Olympic games. Panda uses many of the traditional techniques from Zeus, including man-in-the-browser (MITB) attacks and keylogging, but sets itself apart through its advanced stealth capabilities. This has made analyzing the malware more difficult. As of 2017, Panda was able to detect 23 forensic analytic tools and it is possible that it now detects even more.54 Like many other banking trojans, Panda has expanded its target list beyond just financial services institutions, and in 2018 was caught targeting cryptocurrency exchanges and social media websites. Moving to 2019, Panda continued to expand its scope. The March 2019 campaign exclusively targeted US-based companies, many of which are in the web services industry. Panda remains active; its stealth capabilities make it a unique malware family that continues to evade anti-virus software. |
Backswap | A variant on Tinba, Backswap was first observed in March 2018 targeting Polish banks and browsers. Backswap is written entirely in assembly language and is considered “position-independent code” (PIC), which means that it can be run from anywhere in memory. Its PIC status makes Backswap very different from other banking trojans. The Polish CERT published a comprehensive technical analysis on the code.55 Backswap quickly expanded scope in April 2018, adding additional banks and techniques thoroughly detailed by F5 Labs. The evolution of techniques continued through August 2018 when Backswap also made a geographical shift away from Polish banks to exclusively target Spanish banks.56 Through the latter part of 2018 and early 2019, Backswap continues to run campaigns, though its technical evolution has slowed. |
Zbot/Zeus | Zeus, also known as Zbot, is a notorious Trojan which infects Windows users and tries to retrieve confidential information from the infected computers. Once it is installed, it also tries to download configuration files and updates from the Internet. The Zeus files are created and customized using a Trojan-building toolkit, which is available online for cybercriminals. Zeus has been created to steal private data from the infected systems, such as system information, passwords, banking credentials or other financial details and it can be customized to gather banking details in specific countries and by using various methods. Using the retrieved information, cybercriminals log into banking accounts and make unauthorized money transfers through a complex network of computers. Zbot/Zeus is based on the client-server model and requires a Command and Control server to send and receive information across the network. The single Command and Control server is considered to be the weak point in the malware architecture and it is the target of law enforcement agencies when dealing with Zeus. To counter this weak point, the latest variant of Zeus/Zbot have included a DGA (domain generation algorithm), which makes the Command and Control servers resistant to takedown attempts. The DGA generates a list of domain names to which the bots try to connect in case the Command and Control server cannot be reached. Zeus/Zbot, known by many names including PRG and Infostealer, has already infected as many as 3.6 million systems in the United States. In 2009, security analysts found that the Zeus spread on more than 70,000 accounts of banks and businesses including NASA and the Bank of America. |
Zeus Gameover | Zeus Gameover is a variant of the Zeus family – the infamous family of financial stealing malware – which relies upon a peer-to-peer botnet infrastructure. The network configuration removes the need for a centralized Command and Control server, including a DGA (Domain Generation Algorithm) which produces new domains in case the peers cannot be reached. The generated peers in the botnet can act as independent Command and Control servers and are able to download commands or configuration files between them, finally sending the stolen data to the malicious servers. Zeus Gameover is used by cybercriminals to collect financial information, targeting various user data from credentials, credit card numbers and passwords to any other private information which might prove useful in retrieving a victim’s banking information. GameOver Zeus is estimated to have infected 1 million users around the world. |
Ice IX | Ice IX is a modified variant of Zeus, the infamous banking Trojan, one of the most sophisticated pieces of financial malware out there. This modified variant is used by cybercriminals with the same malicious purpose of stealing personal and financial information, such as credentials or passwords for the e-mail or the online bank accounts. Like Zeus, Ice IX can control the displayed content in a browser used for online banking websites. The injected web forms are used to extract banking credentials and other private security information. Ice IX, the modified version of Zeus, improved a few Zeus capabilities. The most important one is a defense mechanism to evade tracker sites, which monitor at present most Command and Control servers controlled by Zeus. |
Bugat | Bugat is another banking Trojan, with similar capabilities to Zeus – the notorious data-stealing Trojan – which is used by IT criminals to steal financial credentials. Bugat targets an infected user’s browsing activity and harvests information during online banking sessions. It can upload files from an infected computer, download and execute a list of running processes or steal FTP credentials. Bugat communicates with a command and control server from where it receives instructions and updates to the list of financial websites it targets. The collected information is sent to the cybercriminal’s remote server. Cybercriminals spreads the malware mostly by inserting malicious links in the e-mails they send to the targeted users. When a user clicks a malicious link, he is directed to a dangerous website where the Bugat executable downloads on the system. |
Shylock | Shylock is a banking malware, designed to retrieve user’s banking credentials for fraudulent purposes. As soon as it is installed, Shylock communicates with the remote Command and Control servers controlled by the cybercriminals, sending and receiving data to and from the infected PCs. Similar to Zeus Gameover, this malware makes use of a (DGA) Domain generation algorithm which is used to generate a number of domain names that can be used receive commands between the malicious servers and the infected systems. The Trojan is delivered mostly through drive-by downloads on compromised websites and via malvertising, where malicious code is inserted in adverts that are then placed on legitimate websites. Another popular method of spreading this financial malware is by inserting malicious JavaScript into a web page. This technique produces a pop-up which pushes the user to download a plugin, apparently necessary for the media display on the website. |
Torpig | Torpig is a sophisticated type of malware program designed to harvest sensitive information, such as bank account and credit card information from its victims. The Torpig botnet – the network of compromised PCs – which are under the control of cybercriminals are the main means for sending spam e-mails or stealing private information or credentials for the online bank accounts. Torpig also uses a DGA (domain generation algorithm) to generate a list of domains names and locate the Command and Control servers used by hackers. Users are typically infected through drive-by downloads; a web page on a legitimate website is modified to ask the user for JavaScript code from a web location controlled by the IT criminals. The infected computers run phishing attacks to obtain sensitive data from its victims. |
CryptoLocker | This malware encrypts your data and displays a message which states that your private information can be decrypted for a sum of money in a limited period of time. Though CryptoLocker can be removed by various security solutions, there isn’t any way yet to decrypt the locked files. CryptoLocker is one of the nastiest pieces of malware ever created. It’s not just because it takes money from you or because it can access your private data, but once it manages to encrypt your information, there is no way for you to decrypt those files. This ransomware is so dangerous because the affected users have their private information disclosed (and taken advantage from) and they also lose the files without having any chance of recovering them. CryptoLocker is a ransomware Trojan which can infect your system in different ways, but usually this happens through the means of an apparently legitimate e-mail attachment, from a well-known company or institution. Because it spreads through e-mail attachments, this ransomware is known to target companies and institutions through phishing attacks. |
Retefe | The Retefe banking Trojan has been around
for some time, targeting Sweden, Switzerland and Japan, as
previously reported by Paloalto Research. We recently noticed Retefe campaigns targeting UK banking customers. Using fake certificates, the Trojan is designed to trick victims into giving up their login credentials and other sensitive information. |
Dreambot | One of the most active banking Trojans that we have observed recently in email and exploit kits is one often referred to as Ursnif or Gozi ISFB [6]. Thanks to Frank Ruiz from FoxIT InTELL, we know that the actor developing one of its variants since 2014 has named this variant Dreambot. The Dreambot malware is actively evolving, and recent samples in particular caught our attention for their addition of Tor communication capability, as well as peer-to-peer (P2P) functionality. Dreambot is currently spreading via numerous exploit kits as well as through email attachments and links. |
TrickBot | In November 2015, the Dyre banking trojan seemingly disappeared overnight surprising security researchers worldwide. Months later it was announced that Russian authorities had arrested most of the gang responsible for its operations. Prior to that, it was a relatively rare act for Russian authorities to take action in such matters. Since then, nothing has been heard from those actors but the speculation was that some of programmers and other elements of the criminal operation would be subsumed into other cybercriminal operations. |
Asacub | Kaspersky Lab discovered Asacub, a banking trojan which started actively attacking Android users in January. Our experts managed to track its evolution step-by-step. |
GozNym | In the PC world, a Trojan horse is a malicious code, which is hidden inside a harmless looking piece of content or program. Trojans could be very creative in camouflaging themselves in almost any piece of data or file. It could be EXE installation file, media codec, smartphone app or even a Web page. And this is not everything. Some other common examples where such type of malware likes to hide is image files, sound files, office documents, or online games. Witch such a great variety, users are easily deluded to click an infected file, which usually installs malware that starts to operate in their system immediately. This way, Trojans are able to sneak in their PC unnoticed, get control over their system and do a specific form of damage. As you see, these are all the common types of content that users daily interact with. The chance of clicking on an infected file, thinking it is harmless, but ending up with a Trojan horse instead, is quite realistic. This is probably how you got GozNym Malware on your PC. |
Dyre | Threat actors regularly develop new Trojan horse malware to fuel their operations and to ensure the longevity of their botnets. After the takedowns of the Gameover Zeus and Shylock botnets, researchers predicted that a new breed of banking malware would fill the void. In early June 2014, the Dell SecureWorks Counter Threat Unit™ (CTU™) research team discovered the Dyre banking trojan, which was being distributed by Cutwail botnet spam emails that included links to either Dropbox or Cubby file storage services. The threat actors later shifted to distribution via the Upatre downloader trojan. Dyre is also known as Dyreza, Dyzap, and Dyranges by the antivirus industry. |
Gugi | Almost every Android OS update includes new security features designed to make cybercriminals’ life harder. And, of course, the cybercriminals always try to bypass them.We have found a new modification of the mobile banking Trojan, Trojan-Banker.AndroidOS.Gugi.c that can bypass two new security features added in Android 6: permission-based app overlays and a dynamic permission requirement for dangerous in-app activities such as SMS or calls. The modification does not use any vulnerabilities, just social engineering. |
Luuk | Stealing more than half a million euro in just a week – it sounds like a Hollywood heist movie. But the organizers of the Luuuk banking fraud pulled it off with a Man-in-the-Browser (MITB) campaign against a specific European bank. The stolen money was then automatically transferred to preset mule accounts. When GReAT discovered Luuuk’s control panel it immediately got in touch with the bank and launched an investigation. |
Lurk | Perhaps the biggest problem with cybercriminals is that they are extremely difficult to catch. Think of a real-life bank robbery with guns and face-masks — the thieves leave fingerprints; their voices are recorded by security cameras; police can trace their cars using traffic cameras; and so on. All of that helps the investigators find the suspects. But when cybercriminals pull off a robbery, they leave … basically nothing. No clues. |
Tiny Banker Trojan | Tiny Banker Trojan , také volal Tinba , je malware program, který se zaměřuje na finanční stránky instituce. Jedná se o modifikovanou formu starší formy virů známých jako Banker trojské koně, ale je to mnohem menší co do velikosti a silnější. Funguje na základě stanovení typu man-in-the-browse r útoky a sítě čichání. Od svého objevu bylo zjištěno, že nakaženo více než dvě desítky významných bankovních institucí ve Spojených státech, včetně TD Bank, Chase, HSBC, Wells Fargo, PNC a Bank of America. Je navržen tak, aby ukrást uživatele citlivé data, například přihlašovacích údajů k účtu a bankovních kódů. |
Zeus | Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware.Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation,it became more widespread in March 2009. |
Dridex virus | Dridex also known as Bugat and Cridex is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.The targets of this malware are Windows users who open an email attachment in Word or Excel, causing macros to activate and download Dridex, infecting the computer and opening the victim to banking theft. |
SpyEye | The SpyEye trojan was supposed to be the banking trojan that would come to compete with Zeus. In the end, SpyEye was like all the men said to be heirs to Michael Jordan’s greatness. They had hype, they had potential, but they couldn’t take down the king. Zeus is the king, no doubt, but SpyEye made a fast disappearing splash. |
Snifula | For years now, malware has attempted to evade detection by security software using many different methods. Functions such as ending processes and services and deleting files and registry keys related to security products are commonly included in many of today’s malware. We recently noticed a simple, but interesting, trick used in an attempt to prevent the installation of a security product. |
Ursnif | This week Proofpoint researchers observed several noteworthy changes in the macros used by an actor we refer to as TA530, who we previously examined in relation to large-scale personalized malware campaigns. This new campaign includes new evasive macros and demonstrates continued evolution in their tools and techniques, showcasing attacker adaptation to evolving defenses and the widespread use of sandboxes. |
Carberp | The original version of Carberp was something of a typical Trojan. It was designed to steal users’ sensitive data, like online banking credentials or username-password combinations for other high-value sites. Carberp relayed the information it stole back to a command and control (C&C) server under its creator’s control. Simple and straightforward. The only tricky component was the complicated rootkit functionality, allowing the Trojan to remain unnoticed on the victim’s system. The next generation of Carberp added plug-ins: one that removed anti-malware software from infected machines and another that tried to kill off other pieces of malware should they exist. |
Citadel | The Citadel trojan is a variation of the king of financial malware, Zeus. It emerged, along with a number of other one-off trojans, after the Zeus trojan’s source code leaked in 2011. Citadel’s initial noteworthiness has a lot to do with its creator’s novel adoption of the open the open-source development model that let anyone review its code and improve upon it (make it worse). |
Neverquest | Despite Japan's isolated adoption of unique and sometimes incompatible technological standards, often described as Galapagosization, the country still seems to be open game when it comes to banking malware. Attacks on online banking are nothing new in Japan and the country has dealt with several prominent cases in the last year. For instance Infostealer.Torpplartargeted confidential information that was specific to Japanese online banks and credit cards, and variants of Infostealer.Bankeiyautilized various methods including zero-day vulnerabilities and exploit kits to target Japanese users. |
Acecard | It seems that there is now a typical scenario for malware evolution. First cybercriminals release a skeleton with basic functions — that piece of malware behaves quietly, showing almost no malicious activity. Usually it comes in sight of several anti-virus companies shortly after it’s release, but the researchers treat it like yet another piece of potentially malicious code: nothing of particular interest. |