Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Some Ideas Never Die; the Trojan is Wheeled in Again

The ancient Greeks are credited with many inventions that continue today in some form – the water mill, odometer, alarm clock and cartography, to name a few. As a security professional what comes to mind instantly is the Trojan horse, devised to sneak Greek soldiers behind the walls of the city of Troy and win the war.

The ancient Greeks are credited with many inventions that continue today in some form – the water mill, odometer, alarm clock and cartography, to name a few. As a security professional what comes to mind instantly is the Trojan horse, devised to sneak Greek soldiers behind the walls of the city of Troy and win the war.

A few decades ago, the term resurfaced to describe a type of attack that cyber criminals have used and evolved over time to wreak havoc on financial institutions. Although ransomware and DDoS attacks have captured the attention of the security industry of late, a surge in trojan variants targeting banks across geographies is catching many by surprise.

Banking trojans steal credentials for bank accounts by sitting on a banking customer’s computer until they access the account. At which point they launch a web injection attack by launching a man-in-the-browser (MITB) attack which typically creates a phishing page that sends login details to the attacker’s command and control server. The malicious actors behind these attacks take time to learn the banking systems of specific geographies so as to avoid detection and maximize profits. They wring out cash as long as possible before moving on.

To help you assess your digital risk, here are three examples of trojans from 2016 that will likely continue to be active into 2017.

1. Since the discovery of the TrickBot trojan in September 2016, its operators have continued to develop the malware to target new locations and customers of new banks. In October, TrickBot targeted bank customers in Australia and Canada, but throughout the remainder of 2016 both the number of banks affected and the locations of these banks increased dramatically – spreading to the UK, Germany, Singapore and New Zealand, among others.

At this time, TrickBot primarily targets financial services customers in English-speaking countries. Given the number of targets and how quickly TrickBot is spreading across geographies it is likely that the cyber criminals behind these attacks have significant resources at their disposal, including funding, time, and capability. And that capability includes not only development resources but a network of accomplices that make these attacks profitable by doing the leg work to cash out compromised bank accounts. With what appear to be vast resources supporting the operation, it’s likely that TrickBot will continue to penetrate deeper into current target geographies and spread to other regions during the year.

2. GozNym is another banking trojan identified early in 2016. The GozNym attacks started in the U.S. and then shifted to Europe, including 17 banks in Poland and 1 in Portugal. Since the initial reporting on GozNym In April 2016, it was developed to incorporate the targeting of new financial institutions and new target geographies. Furthermore, the methods which it has used, specifically the redirection attacks, were likely indicative of a well-resourced group who developed and operated the trojan, given that fake bank pages would need to be developed for each targeted bank. This heavy investment in advanced capabilities and the rapid evolution of the attacks, demonstrates that the bad actors behind these schemes are sophisticated and will likely leverage their investments to target customers in other geographies.

3. A variant of the Zeus trojan, Panda, started by targeting banks in Europe and North America but in mid-2016 spread to Brazil in advance of the Olympic games. Likely in order to take advantage of an influx of visitors engaging in online activity, Panda expanded its scope of targets beyond banks to include online payment providers, prepaid card services, bitcoin exchange platforms and even airline loyalty programs.  Panda can inject malicious code into ongoing web sessions to trick users with social engineering, and grabs login credentials on the fly. Its operators make use of the Automatic Transfer System (ATS) that automate typical banking actions like transferring money. Panda has since been discovered targeting banks in the UK and Australia. It remains active and is expected to continue to target these and additional geographies in the coming year.

Advertisement. Scroll to continue reading.

So how can financial institutions and their customers mitigate digital risk?

• Banks and operators of other online payment systems must remain alert and continue to monitor which geographies are being targeted. Even in regions that have been “safe” to date, it’s likely only a matter of time as these trojans are targeting different geographies in definable waves. In addition, organizations should ensure operating systems, email gateways, and malware detection solutions are up to date and hardened against such attacks.

• Individuals should be reminded not to click on unsolicited emails or attachments. Password training will also help provide advice on changing credentials frequently and not reusing corporate credentials for personal activity.

Banking trojans continue to evolve. Adopting increasingly complex techniques, they spread to new regions, incorporate new languages, and target other online payment platforms and services besides banks. If you haven’t had a trojan poised outside your walls, chances are you will. But by understanding your digital risk you can make sure you’re not welcoming it in. 

Written By

Alastair Paterson is the CEO and co-founder of Harmonic Security, enabling companies to adopt Generative AI without risk to their sensitive data. Prior to this he co-founded and was CEO of the cyber security company Digital Shadows from its inception in 2011 until its acquisition by ReliaQuest/KKR for $160m in July 2022. Alastair led the company to become an international, industry-recognised leader in threat intelligence and digital risk protection.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.