At the beginning of June 2014, a large international effort – named Operation Tovar – involving US and European enforcement agencies and security firms worldwide, blocked the spread of Zeus Gameover botnet and managed to control servers that were important for CryptoLocker, the well-known ransomware, which encrypts system files and demands a ransom in exchange for the decryption key.

Gameover Zeus and Cryptolocker are some of the most well-known pieces of malware that target financial data, but there are many other variants and types of credentials stealing Trojans out there that you need to pay attention to.

We organized a list of the most dangerous financial malware out there. Just to make sure you understand our approach and intentions, what you’ll find below is a short presentation for some of the most advanced credential-stealing Trojans on the web.

Nevertheless, you can rest assured that Heimdal Threat Prevention is one of the few security solutions that can protect you from these advanced pieces of malware.

Top 10 Most Dangerous Financial Malware


 1.  Zbot/Zeus

Zeus, also known as Zbot, is a notorious Trojan that infects Windows users and tries to retrieve confidential information from the infected computers. Once it is installed, it also tries to download configuration files and updates from the Internet. The Zeus files are created and customized using a Trojan-building toolkit, which is available online for cybercriminals.

Zeus has been created to steal private data from the infected systems, such as system information, passwords, banking credentials or other financial details and it can be customized to gather banking details in specific countries and by using various methods. Using the retrieved information, cybercriminals log into banking accounts and make unauthorized money transfers through a complex network of computers.

Zbot/Zeus is based on the client-server model and requires a Command and Control server to send and receive information across the network. The single Command and Control server is considered to be the weak point in the malware architecture and it is the target of law enforcement agencies when dealing with Zeus.

To counter this weak point, the latest variant of Zeus/Zbot has included a DGA (domain generation algorithm), which makes the Command and Control servers resistant to takedown attempts. The DGA generates a list of domain names to which the bots try to connect in case the Command and Control server cannot be reached.

Zeus/Zbot, known by many names including PRG and Infostealer, has already infected as many as 3.6 million systems in the United States. In 2009, security analysts found that the Zeus spread on more than 70,000 accounts of banks and businesses including NASA and the Bank of America.

Check out this article for more information about the Zbot/Zeus malware.


2. Zeus Gameover (P2P) (Zeus family)

Zeus Gameover is a variant of the Zeus family – the infamous family of financial stealing malware – which relies upon a peer-to-peer botnet infrastructure.

The network configuration removes the need for a centralized Command and Control server, including a DGA (Domain Generation Algorithm) which produces new domains in case the peers cannot be reached. The generated peers in the botnet can act as independent Command and Control servers and are able to download commands or configuration files between them, finally sending the stolen data to the malicious servers.

Zeus Gameover is used by cybercriminals to collect financial information, targeting various user data from credentials, credit card numbers and passwords to any other private information which might prove useful in retrieving a victim’s banking information. GameOver Zeus is estimated to have infected 1 million users around the world.

Read this article for more info about the Zeus P2P Gameover malware.


3. SpyEye (Zeus family)

SpyEye is a data-stealing malware (similar to Zeus) created to steal money from online bank accounts. This malicious software is capable of stealing bank account credentials, social security numbers and financial information that could be used to empty bank accounts.

This banking Trojan contains a keylogger that tries to retrieve login credentials for an online bank account. The attack toolkit is popular among cybercriminals because it can be customized to attack specific institutions or target certain financial data.

SpyEye is able to start a financial transaction as soon as a targeted user initiates an online operation from his bank account.

Check this article for more information about the SpyEye malware.


4. Ice IX (Zeus family)

Ice IX is a modified variant of Zeus, the infamous banking Trojan, one of the most sophisticated pieces of financial malware out there.

This modified variant is used by cybercriminals with the same malicious purpose of stealing personal and financial information, such as credentials or passwords for the e-mail or the online bank accounts.

Like Zeus, Ice IX can control the displayed content in a browser used for online banking websites. The injected web forms are used to extract banking credentials and other private security information.

Ice IX, the modified version of Zeus, improved a few Zeus capabilities. The most important one is a defense mechanism to evade tracker sites, which monitor at present most Command and Control servers controlled by Zeus.

This article is a good resource to find more information about the Ice IX malware.


5. Citadel (Zeus family)

Citadel appeared after the source code of the infamous Zeus leaked in 2011. Due to its open source character, the software code has been reviewed and improved by IT criminals for various malware attacks.

For cybercriminals, it is an advanced toolkit which they can use to trick users into revealing confidential information and steal banking credentials. The stolen credentials are then used by cybercriminals into accessing online accounts and running fraudulent transactions.

See this article for more information about the Citadel malware. And, if you want, you can also read about its successor, Atmos, which emerged in the first half of 2016.

6. Carberp (Zeus family)

Carberp is a Trojan designed to give attackers the ability to steal private information from online banking platforms accessed by the infected PCs.

This Trojan’s behavior is similar to the other financial malware in the Zeus family and displays stealth abilities from antimalware applications. Carberp is able to steal sensitive data from infected machines and download new data from command-and-control servers.

This Trojan is one of the most widely spread financial stealing malware in Russia. Primarily targeting banking systems and companies which perform a high number of financial transactions, Carberp is not only injecting code into web pages, but it also tries to exploit several vulnerabilities in the target system so as to escalate to administrative privileges.

Distributed through the typical methods of using malicious e-mail attachments, drive-by downloads or by clicking on a deceptive pop-up window, what is different at this financial malware is the high number of legitimate web resources used to collect information and potentially make fraudulent transactions. It is indicated that cybercriminals have deployed botnets on over 25,000 infected machines.

To learn more about the Carperb malware, this is a good resource.

7. Bugat (Zeus family)

Bugat is another banking Trojan, with similar capabilities to Zeus – the notorious data-stealing Trojan – which is used by IT criminals to steal financial credentials.

Bugat targets an infected user’s browsing activity and harvests information during online banking sessions. It can upload files from an infected computer, download and execute a list of running processes or steal FTP credentials.

Bugat communicates with a command and control server from where it receives instructions and updates to the list of financial websites it targets.

The collected information is sent to the cybercriminal’s remote server.

Cybercriminals spread the malware mostly by inserting malicious links in the e-mails they send to the targeted users. When a user clicks a malicious link, he is directed to a dangerous website where the Bugat executable downloads on the system.

For more information about the Bugat malware, check out this article.

8. Shylock (Zeus family)

Shylock is a banking malware, designed to retrieve user’s banking credentials for fraudulent purposes.

As soon as it is installed, Shylock communicates with the remote Command and Control servers controlled by the cybercriminals, sending and receiving data to and from the infected PCs.

Similar to Zeus Gameover, this malware makes use of a (DGA) Domain generation algorithm which is used to generate a number of domain names that can be used receive commands between the malicious servers and the infected systems.

The Trojan is delivered mostly through drive-by downloads on compromised websites and via malvertising, where malicious code is inserted in adverts that are then placed on legitimate websites.

Another popular method of spreading this financial malware is by inserting malicious JavaScript into a web page. This technique produces a pop-up which pushes the user to download a plugin, apparently necessary for the media display on the website.

For more information about the Shylock malware, you can use this resource.

9. Torpig (Zeus family)

Torpig is a sophisticated type of malware program designed to harvest sensitive information, such as bank account and credit card information from its victims.

The Torpig botnet – the network of compromised PCs – which are under the control of cybercriminals are the main means for sending spam e-mails or stealing private information or credentials for the online bank accounts. Torpig also uses a DGA (domain generation algorithm) to generate a list of domains names and locate the Command and Control servers used by hackers.

Users are typically infected through drive-by downloads; a web page on a legitimate website is modified to ask the user for JavaScript code from a web location controlled by the IT criminals. The infected computers run phishing attacks to obtain sensitive data from their victims.

For more information about the Torpig malware, you can read this article.


10. CryptoLocker

This malware encrypts your data and displays a message which states that your private information can be decrypted for a sum of money in a limited period of time. Though CryptoLocker can be removed by various security solutions, there isn’t any way yet to decrypt the locked files.

CryptoLocker is one of the nastiest pieces of malware ever created. It’s not just because it takes money from you or because it can access your private data, but once it manages to encrypt your information, there is no way for you to decrypt those files. This ransomware is so dangerous because the affected users have their private information disclosed (and taken advantage from) and they also lose the files without having any chance of recovering them.

CryptoLocker is a ransomware Trojan which can infect your system in different ways, but usually, this happens through the means of an apparently legitimate e-mail attachment, from a well-known company or institution. Because it spreads through e-mail attachments, this ransomware is known to target companies and institutions through phishing attacks.


How do I stay safe from CryptoLocker?

To stay safe from CryptoLocker, follow these steps:

  1. Install a specialized security solution, such as Heimdal Threat Prevention.
  2. Be careful at the e-mails you receive and don’t download or run e-mail attachments from unknown e-mail senders. Also, don’t click the links in these types of e-mails.
  3. Back up your important documents and files. Create backup copies of your data in multiple locations.
  4. Keep your software up to date, using the latest security patches available.

And there’s more advice in our protection guide against ransomware.

How can Heimdal protect me from CryptoLocker?

Heimdal blocks malicious websites which distribute CryptoLocker by making sure that users do not establish untrusted connections. Heimdal can shield a PC from an attacker’s domain and it can prevent CryptoLocker from downloading its encryption keys, even if a PC has already been infected.

An example of how Heimdal protects users from financially exploiting malware, such as Cryptolocker, can be seen below.

cryptolocker heimdal protection

For more information about Cryptolocker, read this article.

What is the typical spreading method for financial malware?

Most dangerous pieces of financial malware are usually distributed through:

The user receives an e-mail message from a well-known organization with some false banking information attached or with a link included in the e-mail. The system becomes infected when the user clicks the link or downloads the file attached to the e-mail, usually disguised as an important invoice or job offer.

  • drive-by downloads 

A drive-by download occurs when the user visits a website or clicks a deceptive pop-up window.

A diagram on the typical spreading method of financial malware can be seen below:

A diagram on the typical spreading method of financial malware

What does a typical financial attack look like?

We will start from the point where a normal machine is already infected by credentials stealing malware. As we mentioned before, the machine may have become infected through:

  • an e-mail attachment (or an e-mail link)
  • a drive-by download (which occurs when visiting a website)
  • a deceptive pop-up window.

The following steps usually occur in a typical financial attack:

  1. The user accesses his online banking account. The domain is specified in the configuration file downloaded by the malware from the malicious servers controlled by the hackers.
  2. The malware sends a request to the malicious servers controlled by cybercriminals and lets them know the user is trying to access the domain specified in the configuration file.
  3. The malicious server specifies a page on the online banking account – usually the login page – where the attack should occur.
  4. When the user accesses the specified page, the malware sends a request to the malicious server which sends back a modified page into the user’s browser. The modified page should trick the user into believing he enters his credentials in the normal page of the online banking account.
  5. The modified page (the login page in our case) asks for user’s sensitive information, such as credentials for online banking website or the credit card number.

Here’s a diagram for a typical financial malware attack:

Typical financial attack

This is just a typical phishing attack used by IT criminals, but their means and tools vary from stealing the credentials through the classical method of using a keylogger software to withdrawing money directly from the online banking account.

To make sure your system is protected from financial malware, follow these steps and make sure you are using a specialized security solution against data-stealing malware, like Heimdal Threat Prevention.

The easy way to protect yourself against malware
Here's 1 month of Heimdal™ Threat Prevention Home, on the house!
Heimdal™ Threat Prevention Home
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe


Download Free Trial

This post was originally published by Aurelian Neagu in August 2014. It was updated by Andra Zaharia in April 2016.

Security Alert New Scylex Financial Crime Kit
2016.08.12 QUICK READ

Security Alert: Scylex Financial Crime Kit, With Zeus-grade Capabilities

Financial Data Protection

15 Steps to Maximize your Financial Data Protection [Updated]

Shopping Online Safely
2015.12.15 SLOW READ

The Ultimate Guide to Shopping Online Safely


It’s a great article.

Epson Printer Offline in Windows on January 28, 2021 at 8:43 am

Your information is very detailed and useful to me, thank you for sharing. I hope you will always be up to date.

Buy modafinil cash on delivery on August 31, 2020 at 2:24 pm

thanks for sharing useful content.Buy modafinil cash on delivery to treat your obstructive sleep apnea

Thanks, This is a great article. It is very useful for readers

Bank account needs to be protected and Good to Link Your Account with Security Email Security Service and OTP Verification.

Your way of explaining the whole thing in this article is truly good, every one can without difficulty
understand it, Thanks a lot.

Thanks for the terrific guide

There is a lot of malware that is available on the society and some of are so dangerous that they can easily infect your system and will totally breaks the internal system.So, my opnion is to install an antivirus on your system to secure your system

There is a lot of malware that is available on the society and some of are so dangerous that they can easily infect your system and will totally breaks the internal system.So, my opnion is to install an antivirus on your system to secure your system

There is a lot of malware that is available on the society and some of are so dangerous that they can easily infect your system and will totally breaks the internal system.So, my opnion is to install an antivirus on your system to secure your system

Protect Your Online Accounts and Other Personal data from spammers.

There is a lot of malware that is available on the society and some of are so dangerous that they can easily infect your system and will totally breaks the internal system.

thanks for sharing useful content.

Very Nice Information thanks for Sharing..

The list of top ten malware is really great. I was actually searching for the same information for my business

There is a lot of malware that is available on the society and some of are so dangerous that they can easily infect your system and will totally breaks the internal system. So, my suggestion is to install an antivirus on your system to secure your system.

There is a new one on the block; Linkedin. Pretends to be a recruiting company for companies rides in on an email then every email sent by the then infected person infects the next computer. All emails are read including ones to banks etc

If you care to email me I can expose to you the complete make up of Linkedin. They are registered in Ireland and

Bank account needs to be protected. Because in now days banks are not save.

Leave a Reply

Your email address will not be published. Required fields are marked *