Banking Trojans are a type of malware frequently used to steal sensitive information such as banking credentials. To do so, attackers normally inject malicious code into a website or a device; the code is frequently delivered through phishing emails.
Due to their high profit potential, they are constantly being updated and upgraded by skilled hackers in order to thwart detection systems. Though the attack technique has been around for many years, fraudsters always have a new trick up their sleeve. Here are some of the most powerful attacks seen in 2018 so far.
- Fileless Malware
One of the most prominent trends this year is the use of the “file-less” technique. In a normal attack, malware is injected into a device by writing files to the machine’s disk. In file-less attacks, malicious code is injected directly into the device’s memory.
In recent cases identified by Cyxtera researchers, banking Trojan-injected malware has used the Windows registry to store portions of the payload so that the mail file reads from and runs directly in the device’s memory, making it significantly harder to track. This technique is not completely new, but its use in banking malware has grown exponentially over the past year as attackers realize its effectiveness at evading detection.
- Zero-Day Exploits
Zero-day exploits are a real-life nightmare – not just for companies, but for all users around the globe, as they allow cyber-criminals to exploit unpatched vulnerabilities across operating systems and software. In the banking malware sector, we have seen a huge growth in the use of zero-day exploits, specifically in the first stage of an infection. For example, a major phishing campaign earlier this year exploited a zero-day vulnerability in Microsoft Word, pushing the Dridex banking malware into the machines of unsuspecting users.
- Botnets Entering Banking, and Emergence of New Botnet Families
Botnets are the perfect example of benign, useful technologies turned into something malicious – many botnets undoubtedly have endless capabilities that can be easily modified by attackers for nefarious purposes. It's not new to see a botnet with the ability to run banking malware, as in the case of the 8-year-old Zeus family of malware.
What is new in 2018, however, is not only the growth of malicious banking functionalities within older families of botnet malware but also the emergence of new families of botnets adding more and more banking-related features and stealth techniques.
- An Uptick in New Capabilities
Old-school banking malware operated in a very simple way—DNS infections, screen overlays, etc. Nowadays, due to increased security and device protections, we see banking malware still using the same techniques but in a much more advanced way. Further, attack creators are adding increasingly sophisticated functionalities.
QakBot is the prime example of this: This Trojan has worm capabilities that allow it to spread into USB devices. In fact, it’s responsible for several lockouts on Active Directory servers across various companies. In order to keep pace with the rise of security protections on most devices, attackers are evolving their traditional banking malware strategy and adding new, advanced functionalities.
- Mobile Malware
The use of banking applications on mobile devices has grown exponentially in recent years in correlation to the ease of checking one’s balance, making a transaction or even paying a bill. Nowadays, we have several advanced protections in desktop environments, and even so, malware often goes unnoticed and succeeds in infection. Given that the smartphone market is younger, malware’s success rate in this sector is even higher since mobile device protections are simpler and not yet as advanced. Therefore, we can see—and increasingly expect—the growth of mobile malware aimed at stealing sensitive information from mobile devices.
Protecting Against Banking Trojans
A holistic, robust security plan is the best way to ensure that your organization and its end users are not vulnerable to malware attacks. Follow these tips increase your protection:
- Implement a strong email authentication protocol, such as DMARC, to ensure that malicious emails (potentially carrying banking Trojan malware) are unable to reach inboxes.
- Employ effective endpoint and browser detection and protection.
- Always keep systems and devices updated. No matter the device, if it’s desktop or mobile, keeping all operating systems, software, and apps updated will prevent known vulnerabilities from being exploited.
- 2FA on everything: One of the biggest nightmares is data leakage. A good way to prevent undue access to leaked accounts is by enabling two-factor authentication (2FA). That is, even though credentials are available on the internet, no one will be able to access the account unless they have access to the device that performs the final authentication.
This blog was produced in collaboration with malware analysts Felipe Duarte and Julian Isaza.