How A Banking Trojan Does More Than Just Steal Your Money
It can enslave your PC, infect you with more malware and much more
What is a banking Trojan?
After nearly 10 years of warfare and siege, your enemies, the Greeks, want to offer you peace, and as a sign of their goodwill, offer a huge wooden horse as a gift.
What would you, as a Trojan, do at this moment?
a) Ignore the gift. Maybe even burn it.
b) Inspect the horse, maybe see if there’s something in it.
c) None of the above, but instead you bring it into your city with much fanfare and partying.
If you chose C, congratulations, you just allowed a whole bunch of Greeks to come out of the horse at night, assassinate the guards, open the gates, and let their whole army in and destroy your city.
A banking Trojan works along similar principles. It tricks a user into downloading what appears to be a harmless file, which then quietly acts to clean up the victim’s bank account.
There’s a huge amount of money involved
Cybercriminals are interested in this kind of cybercrime because it’s profitable. Very profitable.
Here’s one notorious example: since it was first identified in 2007 and until 2010, the Zeus financial malware managed to steal nearly $100 million.
Meanwhile, Dridex, another pervasive financial malware strain, caused $40 million in damages in 2015 alone.
These numbers have only gone up since then, and will continue to rise as malware creators keep improving their skills while most users still struggle even with the cybersecurity basics.
Companies, educate your employees and especially your CEOs.
Some banking Trojans, such as QakBot (sometimes named Qbot or PinkSlip), are specifically designed to target businesses, particularly high value ones such as banks or stock brokerages. In particular, this kind of malware can even lock out users from the active directory by bombarding it with too many log in attempts.
In the worst-case scenario, a banking Trojan might even infect the CEO of an organization, which would effectively give the attacker access to the company’s accounts. This type of targeted attack is called whaling, and it’s not unheard for some companies to lose millions as a result.
How does a banking Trojan work?
Although they are primarily designed to steal money, malicious hackers use them for other purposes as well. Often times, Trojans are part of a more complex malware cocktail, that can include rootkits, worms or other malware that enslave a computer to a botnet.
How you get infected with a banking Trojan
While not an exhaustive list, the infection methods below are the most widely used ones. Chances are that you’ve been targeted by at least two of these.
1. Social engineering
No antivirus or security solution can protect you from your mistakes. Using social engineering attacks, such as fake social media profiles, vishing, catfishing or any other similar method, an attacker can convince you to click a link or download and open a file.
2. Phishing and spam emails
Phishing is the oldest trick in the book and can be used to spread any type of malware. In a phishing attack, the malicious hacker sends an email to the victim while pretending to be a trusted sender (such as a bank or an online shop). The banking Trojan is attached to this email, and once the victim downloads and opens it, the infection starts.
In other cases, the malicious email will contain a link that redirects the user to an infected website, which automatically infects the victim’s device with the malware.
The image above is a screenshot of a phishing email posing to come from RBS. Here are just a few of the aspects that give it away as a phishing email:
- The name is wrong: “Royal bank of scotland” instead of “Royal Bank of Scotland”.
- The urgent tone of the email, since the sender wants to compel you to click.
- They claim to be “unable to reach you by phone.”
3. Exploit kits + drive-by-downloads
All the programs you use have security vulnerabilities. That’s a fact. Cybercriminals take advantage of these vulnerabilities by using exploit kits.
An exploit kit is malware a malicious hacker uses to infect a website. The exploit kit scans the computer/device of website visitors, looking for a vulnerability.
Once it finds one, it will exploit that specific vulnerability in order to deliver a banking Trojan.
GozNym stands out for this kind of delivery. Its Nymaim dropper infects a PC and then searches for a vulnerability, after which it drops Gozi, the one responsible with stealing the personal information.
Ad networks are responsible for pushing ads to thousands or even millions of users, many of which actually click on them.
Cybercriminals take advantage of this by infecting the ads, effectively piggybacking on the reach and credibility of the ad network to infect countless users.
Other times, they might set up malicious ads that redirect a user to an infected website or file download.
Ramnit recently used this tactic in a campaign that targeted users in Canada and the UK that visited porn sites. The campaign used pop-under ads, meaning ads that create a separate window from your browser and appear under it.
Fortunately, researchers managed to get in touch with the ad network and inform them of the infection, preventing it from spreading.
5. Macro malware
Macro malware is written in a programing language used in certain software, such as Word or Excel.
This makes them popular among malicious hackers, since many people are fooled by these seemingly legitimate files, open them, and then get infected.
Modern antivirus programs are fairly efficient at finding most macro viruses, but some are sufficiently well designed to stay hidden for longer periods of time, and giving them enough time to infect you.
This was another method used by Dridex to spread itself to as many users as possible.
Stealing your money, one account at a time
In most cases, the banking Trojan itself doesn’t steal your money. Instead, it harvests and sends your financial information to the malicious hacker, who then cleans up your bank account.
Here’s a more in-depth look at the methods banking Trojans use to empty your account.
1. Keylogging and form grabbing malware
A keylogger will track your keystrokes and then quietly send that information over to the malicious hacker.
To cut down on excess information and system processing, some keyloggers will only activate once you open up the browser or visit certain websites. In the case of form grabbers, the malware activates when you are filling in a form, and logs its contents, including the URL.
The most famous Trojan of this kind is the Zeus (or sometimes ZeuS/Zbot) malware that first appeared back in 2007.
2. Redirect to a malicious web page
In other cases, the malware will modify some of your browser and internet settings, so as to redirect you from your desired site to a malicious one.
So instead of going to the website A, which is your bank’s page, the Trojan will redirect you to website B, which is nearly identical to website A.
In the example above, we have an unusually faithful copy off eBay. The biggest giveaway that the site is fake is the absence of “Add to cart” button, alongside a couple more features.
However, website B is malicious in nature, and everything you type into the forms will be registered into a database. The malicious hacker then uses these credentials to log into your account and plunder it.
Dridex has successfully employed this tactic in its rampage across bank accounts across the world.
3. Document scanning
Some people still keep their passwords and usernames in a simple text document. To steal these, some malware will scan the victim’s hard drive, looking for files with interesting keywords (such as “passwords”, “accounts”, etc). It will then read those files and send the information over to the cybercriminal.
The Ramnit malware was known to effectively use this method.
4. Screen capturing and recording
This method is employed in case the victim uses software that bypasses physical typing on keyboards, such as password managers or even some virtual keyboards specifically designed to combat keyloggers.
How the Trojan stays hidden and evades capture
In order to be effective, a banking Trojan has to be able to infect and stay hidden on your computer for a longer period of time. After all, depending on your purchasing habits, you might not log into your account for months or even weeks at a time. For this reason, the malware must stay hidden.
- Dormant capabilities and hiding in other files
One particularly insidious way for malware to infect you is to hide in seemingly harmless files, such as images. For instance, you receive an actual JPEG through an email, and at first glance is legitimate. But, malicious hackers add extra code to the JPEG, which belongs to the malware itself.
Once you open the photo, the code executes, and you get infected.
Below is the bitmap of a photo. A bitmap, in essence, is a map of all the bits of information that make up a photo.
The image file contains all the bits that correspond to the actual image. The malware config part of the second image contains all the information contained in a malware.
Many security solutions track down malware by analyzing its behavior. If it identifies suspicious patterns, such as keylogging or hidden data transfers, it labels the software as malware, which the antivirus then tries to eliminate. This is called heuristic analysis and is one reason why you sometimes get false positives, since some legitimate programs have malware-like behavior.
To work around this, a Trojan might use a technique called obfuscation, which greatly complicates the source code so that the antivirus can’t figure out what the malware is doing.
- Rootkits and deep infections
Rootkits are some of the nastiest kinds of malware out there. They excel at staying hidden and unreachable to regular antivirus programs by infecting very deep layers of your PC, which most security solutions don’t have system privilege to access.
These deep layers give the rootkit extensive privileges which allow it to hide the Trojan from the eyes of antivirus and other security solutions, making it nearly undetectable.
Signs you may be infected with a banking Trojan
A banking Trojan infection has fewer symptoms than other kinds of malware because it’s in the malicious hacker’s interest to make the malware as lightweight as possible to avoid suspicion. Nevertheless, here are a few telltale signs:
- Performance slowdowns
Even the lightest malware requires processing power for it to track your keystrokes or scan the computer for relevant files. The performance hit will be even more apparent if the Trojan does a secret video recording of your activity.
In addition, malware isn’t as well optimized as legitimate programs, so conflicts with other legitimate programs and processes are certainly possible and will continue to slow down your PC.
- Slower Internet Speeds
Malware that only tracks your keystrokes or scans other files will barely leave a trace in your Internet speeds, since the packets of information they send can be as small as a few kilobytes.
However, video recorders require much more traffic to send information due to the large file sizes involved.
At the same time, some Trojans are part of a bigger malware cocktail that also enslaves your PC and uses its resources to fuel a botnet.
Once your PC is part of the botnet, it too will become a tool to further spread malware. It’s a vicious cycle of infection and reinfection.
- You can’t change your settings or they constantly revert
Malware that redirects you to certain websites really wants to make sure you actually go visit those websites. To this end, they prevent you from changing or resetting the redirection settings.
If you sense your computer doesn’t follow your commands, and has a life of its own, then consider you might suffer a malware infection.
- Everything seems to be running just fine
It’s possible that the malware won’t leave any trace of its activities on your computer, and so everything seems to be running as usual.
As Keyser Soze in the film The Usual Suspects so eloquently put it:
“The greatest trick the Devil ever pulled was convincing the world he didn’t exist.”
To make sure you aren’t infected with a Trojan, we suggest you periodically scan your computer with an antivirus and other security solutions.
How the money is extracted
Once an account has been compromised the malicious hacker will proceed to extract the money from it. It does this using several methods.
1. Money Mules
These are collaborators of the malicious hacker, who open up accounts on their own name. The cybercriminal then sends your money to this money mule, and the money mule in turn forwards it to the cybercriminal.
In most cases the money mule lives in another country, so trying to prosecute him is a complex undertaking. This discourages the victim from seeking punishment and reparations.
2. Money laundering through Bitcoin or other cryptocurrencies
Cryptocurrencies such as Bitcoin or Ether are a major reason why ransomware has exploded in popularity in the past 2-3 years. That’s because they make it easy to conduct transactions while staying anonymous.
While not impossible to trace, tracking down someone who uses Bitcoin is an uphill battle.
3. Dark web marketplaces
Sometimes, the malicious hacker who steals your account information isn’t the one who ends up emptying your bank account.
Instead, it’s possible he will try to sell your information on the dark web, an underground portion of the Internet that sells illegal materials and products such as drugs, child pornography and in our case, sensitive online information.
This exactly the situation we’ve encountered with the Jaff ransomware, which would sell encrypted user information on a dark web marketplace.
4. Direct transfers to overseas banks
Sometimes, the malicious hacker will simply transfer the money from your account to another one in a foreign country. Just like in the money mule scenario, he will hope that the great distances involved will discourage you from legally pursuing him.
And even if you do try to prosecute the fraudsters, there’s a high chance your case will get buried by other high profile ones.
For example, the UK’s Serious Fraud Office won’t even consider cases in which the victim lost less than £100,000. Sometimes, even cases that are around the £1 million figure aren’t investigated. This is because they concentrate all their efforts on the big fish, the cases involving £10 million or more.
This is because investigating fraud is expensive and time consuming. It took law enforcement agencies nearly 4 years to take down the Avalanche botnet and involved officials from over 30 countries. That’s just one crime ring. Smaller ones are even harder to track since there’s even less evidence.
The most frequent types of banking Trojans
1. Zeus, also known as ZeuS or Zbot
This is the most widespread financial malware of its kind. It was first discovered in 2007, which also makes it one of the oldest still in active use. According to Kaspersky’s statistics, nearly 45% of financial malware infections can be attributed to Zbot.
Primarily, Zeus will steal your credentials by using its built-in keylogger. The malicious attacker can configure the malware so that it activates only when you visit certain websites, such as www.bankofamerica.com. For all other websites, it stays inactive. This allows the cybercriminal to geotarget his attacks, since most countries only have a few major banks.
On older versions of Windows, such as Windows XP, Zeus can steal the confidential information, such as site passwords and usernames, stored in the Protected Service area of your hard drive.
In addition, Zeus also allows the attacker to download further malware on your computer.
In 2014, a botnet based on a variation of this malware named ZeuS Gameover was taken down following Operation Tovar, of which Heimdal Security also contributed to.
Not a financial malware per se, but a malware dropper. In other words, Nymaim will infect your computer and then act as a gateway for other kinds of malware.
Thanks to its versatility and advanced stealth capabilities, Nymaim is very popular among cybercriminals, so much so that it had a 29% share of all banking Trojan infections, second only to Zeus.
A recent development has seen the mixing of Nymaim with the Gozi Trojan, creating the GozNym malware.
Basically, Nymaim’s advanced stealthing capabilities allow it to unload Gozi on the victim’s computer, while Gozi does the actual information stealing.
Dridex is a distant relative of Zeus/Zbot. For a while, it seemed the malware had become dormant, with no new attacks attributed to it. In early 2017 however, it came back to life, and doesn’t seem to be going away any time soon.
Dridex spreads using phishing emails with a malicious Word or Excel file attached. Macro malware within these files then start the infection process.
Once established on your PC, Dridex leverages its feature capabilities to do one or all of the following:
- Steal your confidential information using keylogging.
- Redirect you to fake websites that can harvest your information.
- Enslave your PC into a botnet.
- Download additional malware onto your PC.
- Upload any information it collected to the Command and Control center.
Due to its versatility, Dridex has been used numerous times, and we’ve often written about it in our security alerts. In one of our most recent ones, Dridex attacked UK users by sending phishing emails with fake invoices.
In another case, Dridex spread using a large spam campaign.
Gozi is one of the oldest kinds of financial malware out there. It was first spotted in 2007, and its source code has leaked twice over the years. Other cybercriminal groups have used the leaked source code to create variants of their own. Such was the case with GozNym malware, when the creators of Nymaim mixed it with Gozi.
Gozi spreads in a number of ways, such as phishing emails, malicious links or drive-by-downloads.
Once on your PC, it identifies when you’re conducting financial transactions on certain websites and then injects code in real-time that will hijack your session.
Gozi will then feed you false information to complete a financial transaction, after which you will be redirected to a fake page that requests your security key in order to finalize it. The money is then sent to an overseas money mule account.
To put it simply, Gozi will trick you into making a payment to another account.
Dyre is a financial malware that exploded onto the scene in 2014 and stole tens of millions of dollars in under two years.
Its creators, however, were caught, and for a time, Dyre became dormant.
Recent developments, however, have seen the Dyre malware repurposed and renamed, such as TrickBot.
Dyre and its variants employ much the same methods as other banking Trojans: redirection, keylogging, man-in-the-browser attacks that intercept your data and also web page injections.
How banking Trojans are evolving
Banking Trojans are evolving to take advantage of the latest technological advances and economic trends.
Mobile banking Trojans
Cybercriminals have moved on with the times, and now target smartphones and tablets as well, which we increasingly use to conduct our financial business.
In 2015, only 8% of financial malware targeted mobile users. In 2016, that proportion was 36%. And when we say mobile users, what really mean is Android users. For the most part, iOS users are clear of this threat. For now, at least.
Mobile banking malware commonly infects users in two ways:
1. Apps installed from unauthorized sources. (in other words, not Google Play).
2. Infected apps on the Google Play Store that escaped the vetting process.
Mobile banking Trojans use some distinctive methods that take into account this particular medium:
- They hide text messages. Most online payments require two-factor authentication, so the malware hides the verification message to not alert you as the cybercriminals steal your money.
- A fake banking app that will mimic the original app. It steals your credentials as you try to log in.
A more worrying development is that cybercriminals now include ransomware into the package. So not only will you risk losing your money, but also the data you have on your phone/tablet.
Combining mobile banking Trojans with ransomware
As if banking Trojans on already insecure mobile phones wasn’t enough, malware creators have recently added ransomware functions to mobile Trojans, in an attempt to extract more money from the victims.
The Tordow and Faketoken malware work this way, and encrypt any files with an extension that matches their encryption algorithm.
Banking Trojans and botnets
Most banking Trojans come as part of a botnet. This provides the infrastructure required for malicious hackers to distribute the malware to thousands or even millions of users.
Integrating the banking Trojan into a botnet maximizes the effectiveness of the malware itself. It allows the malicious hacker to keep coming back to the PC, infecting it with new kinds of malware, and more importantly, enslave it into the botnet.
The bigger the botnet, the more profitable the operation, since it can then be used to commit a huge amount of cybercrimes: click fraud, DDoS attacks, cryptocurrency mining and much more.
Spreading outside the English language
Initially, most financial malware targeted English users since those were primarily the wealthiest victims and also because of its international reach.
In recent times, cybercriminals have translated and targeted users from a specific country or using a particular language.
This increasing localization trend is likely to continue for the foreseeable future.
The malware-as-a-service trend
In the past, cybercriminals would simply download a stand-alone malware kit and then use it as many times as he wished.
But now, malware creators have switched to distributing their creations as a service. This means they effectively rent their product to the cybercriminals who use it, in exchange for a share of the stolen money.
How to protect yourself against a banking Trojan
So, in simple words, banking Trojans are bad, very, very bad. But, a few easy steps should help to significantly narrow down the window of opportunity for you to be infected.
1. Keep your software updated
If there’s one piece of advice you should follow to improve your cybersecurity, then it should be to update your software. Timely updates fix a significant amount of vulnerabilities and bug in software. Thus, exploits kits and malware designed to take advantage of these aren’t able to infect you anymore.
Outdated software essentially acts like a Zero Day vulnerability:
One study found that organizations with computers that run an outdated OS were three times more likely to suffer a data breach, while those that had computers with outdated browsers were twice as likely.
2. Learn how to spot phishing emails and don’t click strange links
Phishing emails are one of the main methods cybercriminals use to spread malware and scam users. Knowing how to spot a phishing email is critical, and will instantly cut down on the odds of you getting compromised.
We recommend you check out this in-depth article of ours that goes through everything you need to know about phishing emails.
3. Use a password manager
Since most banking Trojans primarily use keylogging to steal your passwords and login information, bypassing the need to physically type in your credentials will render the keylogger nearly useless.
A password manager works by storing your password once, and then autofilling it each time you want to access a certain website, without actually typing anything.
4. Install an antivirus and other security solutions
Antivirus programs have a received a bad rep lately. Newer generations of malware are sophisticated and come with advanced stealthing methods to avoid detection, pushing antivirus programs to the limits of its abilities.
Even so, having a good antivirus can still make the difference between a clean computer, and an infected one.
To see which antivirus you should purchase, we recommend you check out our in-depth article on how to find the best antivirus.
5. Use a traffic filtering solution to prevent infections and data leakage
Traffic filtering software scans the incoming and outgoing traffic to your computer, searching for hidden malware and preventing it from reaching your computer in the first place. This gives it an edge over traditional antivirus programs, which works by eliminating threats that already exist on your computer.
Besides blocking incoming malware, a traffic filtering solution will scan your outbound traffic, making sure it isn’t leaking information to a malicious server. This means that a traffic filter will block banking Trojan from communicating your personal details to the cybercriminal.
Our own Heimdal PRO is a traffic filter that is up to the task, and then some.
And not only will it monitor your traffic and shield you from the worst threats out there, but it will also automatically update your software, so you don’t have to. All done silently, and effectively.
6. Use a safe browser when doing online shopping or online banking.
Traditional browsers come with numerous security vulnerabilities that are well documented, both by malware researchers and creators.
This means cybercriminals have the expertise required to hack into these browsers and get their hands on your information.
One solution is to use specialized secure browsers created by trustworthy companies, such as :
These can help you significantly reduce your exposure to cyber attacks that target your financial information and keep you safe during financial transactions.
7. Learn how to spot a fake website
Despite careful preparation, it’s possible you might still be redirected to a fake banking website. At this point, your last line of defense are your own wits and ability to differentiate between the copy and the original.
Here’s what you should look out for:
- Bad English.
- All banking websites come with HTTPS certification to improve security. Cybercriminals, however, don’t bother with this step.
- Look at the URL structure. A dead giveaway is if the name of the link is wildly different than what it should be. So if you’re browsing www.bankofamerica.com but the link structure is different from this, such as www.herdex78958.com, then you should close that website as quickly as possible.
8. Use any security features your bank offers
Banks have no interest in letting you get hacked. Especially if the money involved is credit card money, since its technically the bank’s money.
As such, banks come many security measures you should consider activating, such as:
- Account alerts. These notify you of any changes that take place in your bank account, such as withdrawn or deposited money, access of the account and so on.
- Set up a backup email for your account. This is a different email than the one used to register your account, and serves as a backup in case something bad happens to your registryation email.
- Add biometrics to your security measures. Normally, we are skeptical about the security of biometric security such as fingerprints, but remote malware attackers have almost no way of obtaining these. As such, they are a good additional option to secure your account whenever possible.
- Hardware security tokens. These function like an authenticator app. Basically, in order to complete a transaction, you need to enter the temporary security code presented on the token. The token doesn’t communicate over the Internet, and the security code changes every few minutes.
How to remove banking Trojans
Removing malware is a complex process, and warrants an article of its own. For this reason, this section will only treat the problem in broad strokes. However, we have written a full on guide on malware removal, which we highly recommend.
Depending on what kind of Trojan you’re infected with, clean up can either be a hassle or a breeze.
Here are some of the malware cleaners that will come in handy:
In addition, antivirus products also come with malware removal features.
In particular, we suggest you check and double check to be sure you don’t have any rootkits. If the banker Trojan came alongside the rootkit, then the infection might run very deep into your computer. For this reason, we suggest you check out the Rootkit removal section from this article.
Also, be sure to reset your settings and clear any potential redirects that might have been left over after you cleaned up the malware.
Of all the malware out there, banking Trojans have the potential to be the most damaging to the individual user, even more so than ransomware.
To make matters worse, the most insidious versions don’t just want your money, but also your entire PC and every kind of personal information they can gather about you.
Think about all the times you have done an online transaction. Were you ever worried someone might have intercepted your passwords and credit card data? Or do you know someone who actually went through this?
Leave us a comment with your experiences about this kind of threat!