Banking Malware

Name

 Status

The “Silent Night”
Zloader/Zb

ZeuS is probably the most famous banking Trojan ever released. Since its source code leaked, various new variants are making the rounds. In the past we wrote about one of its forks, called Terdot Zbot/Zloader.

ACTIVE

EVENTBOT

The Cybereason Nocturnus team is investigating EventBot, a new type of Android mobile malware that emerged around March 2020. EventBot is a mobile banking trojan and infostealer that abuses Android’s accessibility features to steal user data from financial applications, read user SMS messages, and steal SMS messages to allow the malware to bypass two-factor authentication.

ACTIVE

Gozi

Also known as Ursnif, Gozi is one of the oldest banking trojans. To put it simply, Gozi tricks users into completing financial transactions in accounts that aren’t theirs. It’s been around since 2007 and, as one of the original banking trojans, has caused millions of dollars in damages. In 2010, the Gozi source code was leaked, which lead to the creation of several different versions of the malware.

ACTIVE

Tinba

Also known as Tiny Banking Trojan, Tinba was first discovered in the wild in 2012 when it was found to have infected a number of computers in Turkey. It is the smallest banking trojan known, consisting only of a 20 KB file. It typically runs geo-specific campaigns, though varies its regions. Tinba’s code was first leaked in 2014 and proved to be a useful resource for malware researchers to analyze.

ACTIVE

Vawtrak

Also known as Neverquest or Snifula, Vawtrak is a descendent of the Gozi banking trojan. First discovered in 2013, Vawtrak was active in geographically targeted campaigns and employs a Cybercrime-as-a-Service business model. This is not unique to Vawtrak, as other trojans, including Gameover Zeus, also use this business model. Instead of selling the malware outright, Vawtrak’s authors offer malware delivery based on a service agreement. For example: A Number of Passwords stolen from X number of Users, using bank Y in country Z.

ACTIVE

Emotet

This malware was first identified by security researchers in 2014 as a simple banking trojan. Later versions of the malware evolved and included the addition of malware delivery services, including the ability to install other banking trojans.In August 2017, Emotet was connected to another banking trojan, Dridex—Emotet “dropped” Dridex as an additional payload. The technique of using one piece of malware to drop another is not new, but it is significant to see banking trojans “working together.” As of September 2018, Emotet was utilizing the EternalBlue Windows vulnerability (first seen with the WannaCry ransomware) in order to propagate.

ACTIVE

Kronos

Kronos is known in Greek mythology as the “Father of Zeus.” Kronos malware was first discovered in a Russian underground forum in 2014 after the takedown of Gameover Zeus. It was more expensive than many other banking trojans, costing $7,000 to buy outright or $1,000 for a one-week trial. Many other banking trojans could be bought from underground forums for hundreds, not thousands, of dollars. Kronos marketed itself as one of the most sophisticated trojans, and many malware researchers commented that its author(s) clearly had prior knowledge of malware techniques.The code is well obfuscated using many different techniques.

ACTIVE

Dridex

First seen in 2011, Dridex has had a longer evolutionary journey than most malwares and has urvived through the years by obfuscating its main command-and-control (C&C) servers through proxies. Dridex’s first appearances in September 2011 came under the name Cidex. It caused destruction to banks until June 2014 when Dridex version 1.1 appeared in the wild. Dridex emerged almost exactly one month after Operation Tovar’s takedown of the Gameover ZeuS botnet, which also marked the end of Cidex attacks.

ACTIVE

DanaBot

One of the newer banking trojans, DanaBot first emerged in mid-2018,49 targeting Australian users. Since it first appeared in the wild, DanaBot has been seen targeting European banks and email providers. Like many other banking trojans, DanaBot has recently shifted focus away from exclusively targeting financial services institutions for a number of reasons. Since users often share passwords across platforms, compromising credentials is still useful for many cybercriminals.

ACTIVE

Ramnit

This unique banking trojan started out in 2010 as a worm and, sometime after the Zeus source code leak, acquired parts of the Zeus code and became a banking trojan.Ramnit has continued to evolve in terms of sophistication, technique, and scope as a botnet since becoming a banking trojan. It remains active despite a shutdown of 300 command-and-control servers in February 2015.51 After this setback, Ramnit reappeared in late 2015 and again in mid 2016.52 In early 2017, F5 labs published a technical article breaking down Ramnit’s new disappearing configuration file. Like many other banking trojans, Ramnit has broadened its scope in recent years.

ACTIVE

Panda

Yet another Zeus variant, Panda was first discovered in Brazil in 2016, around the time of the Olympic games. Panda uses many of the traditional techniques from Zeus, including man-in-the-browser (MITB) attacks and keylogging, but sets itself apart through its advanced stealth capabilities. This has made analyzing the malware more difficult. As of 2017, Panda was able to detect 23 forensic analytic tools and it is possible that it now detects even more.

ACTIVE

Backswap

A variant on Tinba, Backswap was first observed in March 2018 targeting Polish banks and browsers. Backswap is written entirely in assembly language and is considered “position-independent code” (PIC), which means that it can be run from anywhere in memory. Its PIC status makes Backswap very different from other banking trojans. The Polish CERT published a comprehensive technical analysis on the code.55 Backswap quickly expanded scope in April 2018, adding additional banks and techniques thoroughly detailed by F5 Labs. The evolution of techniques continued through August 2018 when Backswap also made a geographical shift away from Polish banks to exclusively target Spanish banks.

ACTIVE

Zbot/Zeus

Zeus, also known as Zbot, is a notorious Trojan which infects Windows users and tries to retrieve confidential information from the infected computers. Once it is installed, it also tries to download configuration files and updates from the Internet. The Zeus files are created and customized using a Trojan-building toolkit, which is available online for cybercriminals. Zeus has been created to steal private data from the infected systems, such as system information, passwords, banking credentials or other financial details and it can be customized to gather banking details in specific countries and by using various methods.

ACTIVE

Zeus Gameover

Zeus Gameover is a variant of the Zeus family – the infamous family of financial stealing malware – which relies upon a peer-to-peer botnet infrastructure. The network configuration removes the need for a centralized Command and Control server, including a DGA (Domain Generation Algorithm) which produces new domains in case the peers cannot be reached. The generated peers in the botnet can act as independent Command and Control servers and are able to download commands or configuration files between them, finally sending the stolen data to the malicious servers.

 

Ice IX

Ice IX is a modified variant of Zeus, the infamous banking Trojan, one of the most sophisticated pieces of financial malware out there. This modified variant is used by cybercriminals with the same malicious purpose of stealing personal and financial information, such as credentials or passwords for the e-mail or the online bank accounts. Like Zeus, Ice IX can control the displayed content in a browser used for online banking websites. The injected web forms are used to extract banking credentials and other private security information.

 

Bugat

Bugat is another banking Trojan, with similar capabilities to Zeus – the notorious data-stealing Trojan – which is used by IT criminals to steal financial credentials. Bugat targets an infected user’s browsing activity and harvests information during online banking sessions. It can upload files from an infected computer, download and execute a list of running processes or steal FTP credentials. Bugat communicates with a command and control server from where it receives instructions and updates to the list of financial websites it targets. The collected information is sent to the cybercriminal’s remote server.

 

Shylock

Shylock is a banking malware, designed to retrieve user’s banking credentials for fraudulent purposes. As soon as it is installed, Shylock communicates with the remote Command and Control servers controlled by the cybercriminals, sending and receiving data to and from the infected PCs. Similar to Zeus Gameover, this malware makes use of a (DGA) Domain generation algorithm which is used to generate a number of domain names that can be used receive commands between the malicious servers and the infected systems.

ACTIVE

Torpig

Torpig is a sophisticated type of malware program designed to harvest sensitive information, such as bank account and credit card information from its victims.

The Torpig botnet – the network of compromised PCs – which are under the control of cybercriminals are the main means for sending spam e-mails or stealing private information or credentials for the online bank accounts. Torpig also uses a DGA (domain generation algorithm) to generate a list of domains names and locate the Command and Control servers used by hackers.

 

CryptoLocker

This malware encrypts your data and displays a message which states that your private information can be decrypted for a sum of money in a limited period of time. Though CryptoLocker can be removed by various security solutions, there isn’t any way yet to decrypt the locked files. CryptoLocker is one of the nastiest pieces of malware ever created. It’s not just because it takes money from you or because it can access your private data, but once it manages to encrypt your information, there is no way for you to decrypt those files.

 

Retefe

The Retefe banking Trojan has been around for some time, targeting Sweden, Switzerland and Japan, as previously reported by Paloalto Research.
We recently noticed Retefe campaigns targeting UK banking customers. Using fake certificates, the Trojan is designed to trick victims into giving up their login credentials and other sensitive information.

 

Dreambot

One of the most active banking Trojans that we have observed recently in email and exploit kits is one often referred to as Ursnif or Gozi ISFB [6]. Thanks to Frank Ruiz from FoxIT InTELL, we know that the actor developing one of its variants since 2014 has named this variant Dreambot. The Dreambot malware is actively evolving, and recent samples in particular caught our attention for their addition of Tor communication capability, as well as peer-to-peer (P2P) functionality. Dreambot is currently spreading via numerous exploit kits as well as through email attachments and links.

 

TrickBot

In November 2015, the Dyre banking trojan seemingly disappeared overnight surprising security researchers worldwide.  Months later it was announced that Russian authorities had arrested most of the gang responsible for its operations.  Prior to that, it was a relatively rare act for Russian authorities to take action in such matters.  Since then, nothing has been heard from those actors but the speculation was that some of programmers and other elements of the criminal operation would be subsumed into other cybercriminal operations.

ACTIVE

Asacub

Kaspersky Lab discovered Asacub, a banking trojan which started actively attacking Android users in January. Our experts managed to track its evolution step-by-step.

 

GozNym

In the PC world, a Trojan horse is a malicious code, which is hidden inside a harmless looking piece of content or program. Trojans could be very creative in camouflaging themselves in almost any piece of data or file. It could be EXE installation file, media codec, smartphone app or even a Web page. And this is not everything. Some other common examples where such type of malware likes to hide is image files, sound files, office documents, or online games. Witch such a great variety, users are easily deluded to click an infected file, which usually installs malware that starts to operate in their system immediately.

ACTIVE

Dyre

Threat actors regularly develop new Trojan horse malware to fuel their operations and to ensure the longevity of their botnets. After the takedowns of the Gameover Zeus and Shylock botnets, researchers predicted that a new breed of banking malware would fill the void. In early June 2014, the Dell SecureWorks Counter Threat Unit™ (CTU™) research team discovered the Dyre banking trojan, which was being distributed by Cutwail botnet spam emails that included links to either Dropbox or Cubby file storage services.

ACTIVE

Gugi

Almost every Android OS update includes new security features designed to make cybercriminals’ life harder. And, of course, the cybercriminals always try to bypass them.We have found a new modification of the mobile banking Trojan, Trojan-Banker.AndroidOS.Gugi.c that can bypass two new security features added in Android 6: permission-based app overlays and a dynamic permission requirement for dangerous in-app activities such as SMS or calls. The modification does not use any vulnerabilities, just social engineering.

 

Luuk

Stealing more than half a million euro in just a week – it sounds like a Hollywood heist movie. But the organizers of the Luuuk banking fraud pulled it off with a Man-in-the-Browser (MITB) campaign against a specific European bank. The stolen money was then automatically transferred to preset mule accounts. When GReAT discovered Luuuk’s control panel it immediately got in touch with the bank and launched an investigation.

 

Lurk

Perhaps the biggest problem with cybercriminals is that they are extremely difficult to catch. Think of a real-life bank robbery with guns and face-masks — the thieves leave fingerprints; their voices are recorded by security cameras; police can trace their cars using traffic cameras; and so on. All of that helps the investigators find the suspects. But when cybercriminals pull off a robbery, they leave … basically nothing. No clues.

 

Tiny Banker Trojan

Tiny Banker Trojan , také volal Tinba , je malware program, který se zaměřuje na finanční stránky instituce. Jedná se o modifikovanou formu starší formy virů známých jako Banker trojské koně, ale je to mnohem menší co do velikosti a silnější. Funguje na základě stanovení typu man-in-the-browse r útoky a sítě čichání. Od svého objevu bylo zjištěno, že nakaženo více než dvě desítky významných bankovních institucí ve Spojených státech, včetně TD Bank, Chase, HSBC, Wells Fargo, PNC a Bank of America. Je navržen tak, aby ukrást uživatele citlivé data, například přihlašovacích údajů k účtu a bankovních kódů.

 

Zeus

Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware.Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation,it became more widespread in March 2009.

ACTIVE

Dridex virus

Dridex also known as Bugat and Cridex is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.The targets of this malware are Windows users who open an email attachment in Word or Excel, causing macros to activate and download Dridex, infecting the computer and opening the victim to banking theft.

 

SpyEye

The SpyEye trojan was supposed to be the banking trojan that would come to compete with Zeus. In the end, SpyEye was like all the men said to be heirs to Michael Jordan’s greatness. They had hype, they had potential, but they couldn’t take down the king. Zeus is the king, no doubt, but SpyEye made a fast disappearing splash.

ACTIVE

Snifula

For years now, malware has attempted to evade detection by security software using many different methods. Functions such as ending processes and services and deleting files and registry keys related to security products are commonly included in many of today’s malware. We recently noticed a simple, but interesting, trick used in an attempt to prevent the installation of a security product.

 

Ursnif

This week Proofpoint researchers observed several noteworthy changes in the macros used by an actor we refer to as TA530, who we previously examined in relation to large-scale personalized malware campaigns. This new campaign includes new evasive macros and demonstrates continued evolution in their tools and techniques, showcasing attacker adaptation to evolving defenses and the widespread use of sandboxes.

ACTIVE

Carberp

The original version of Carberp was something of a typical Trojan. It was designed to steal users’ sensitive data, like online banking credentials or username-password combinations for other high-value sites. Carberp relayed the information it stole back to a command and control (C&C) server under its creator’s control. Simple and straightforward. The only tricky component was the complicated rootkit functionality, allowing the Trojan to remain unnoticed on the victim’s system.

ACTIVE

Citadel

The Citadel trojan is a variation of the king of financial malware, Zeus. It emerged, along with a number of other one-off trojans, after the Zeus trojan’s source code leaked in 2011. Citadel’s initial noteworthiness has a lot to do with its creator’s novel adoption of the open the open-source development model that let anyone review its code and improve upon it (make it worse).

ACTIVE

Neverquest

Despite Japan's isolated adoption of unique and sometimes incompatible technological standards, often described as Galapagosization, the country still seems to be open game when it comes to banking malware. Attacks on online banking are nothing new in Japan and the country has dealt with several prominent cases in the last year. For instance Infostealer

 

Acecard

It seems that there is now a typical scenario for malware evolution. First cybercriminals release a skeleton with basic functions — that piece of malware behaves quietly, showing almost no malicious activity. Usually it comes in sight of several anti-virus companies shortly after it’s release, but the researchers treat it like yet another piece of potentially malicious code: nothing of particular interest.