Connect with us

Hi, what are you looking for?



Banking Trojan Infections Plummeted 73% in 2015

Financial Trojan detections have registered a 73 percent drop in 2015 when compared to the previous year, a new report from Symantec reveals.

Financial Trojan detections have registered a 73 percent drop in 2015 when compared to the previous year, a new report from Symantec reveals.

According to the security firm, while detections have dropped significantly, the threat is still active and Trojans are becoming more advanced in terms of their capabilities. Furthermore, the company says that cybercriminals are increasingly targeting financial institutions via malware or through business email compromise (BEC) scams.

Symantec’s Financial threats 2015 whitepaper reveals that the primary distribution vector for financial fraud malware is via malicious attachments in spam email, and that adversaries continued to use Office documents containing malicious macros as droppers in 2015. 

Fortunately, Microsoft this week announced a new macro blocking feature in Office 2016 designed to counter the use of malicious macros to deliver malware.

Zeus (also known as Trojan.Zbot) was the malware responsible for the largest number of financial Trojan detections last year, with just under one million. However, it showed a significant drop from the 4 million infections registered in 2014, a continuation of a trend observed before, which suggests that criminals are moving to more current, financial malware families.

The drop in Zeus infections is said to be the result of a takedown operation conducted in 2014, similar to what happened in November 2015 with the Dyre group. Following law enforcement actions, the Dyre botnet has remained inactive, yet a similar operation conducted against Dridex in October was unsuccessful, with the Trojan achieving high infection rates only one month later.

In fact, the report also reveals that Dridex/Cridex, the second most used financial Trojan, more than doubled the number of infections year-on-year in 2015, while Dyre, the third in line, dropped to nearly half of them. Last year, Dridex targeted a total of 315 different institutions and was most active in May and June.

A total of 547 institutions in 49 countries were targeted by no less than 656 financial Trojans in 2015, Symantec’s report reveals. According to the security company, the average number of targeted organizations per sample was 93 in 2015, which marked an increase of 232 percent over the previous year.

Advertisement. Scroll to continue reading.

The two most targeted banks were located in the United States, being attacked by 78.2 percent and 77.90 percent of all analyzed Trojans, respectively. Next in line are two banks in the United Kingdom, with 69.36 percent each, followed by a US financial service group with 69.05, and another UK bank, with 68.45 percent of malware targeting it.

However, the geographical distribution of financial Trojans shows that banks in other countries are targeted as well, including Spain, Russia, Canada, Switzerland, Australia, Ireland, Germany, and India. In fact, while the US was the most targeted country, Germany and India came on the second and third positions, respectively, followed by Japan and the United Kingdom.

Some of the analyzed threats had a narrow geographical focus and were not distributed internationally, Symantec said. Such is the case with Shifu, which was found mainly in Japan last year, although it infected a very small number of computers in the UK, USA, and other countries as well. Shifu targeted a total of 16 financial institutions last year, Symantec says.

To increase their effectiveness, threat groups also started targeting mobile phone users, perfecting their malware to circumvent two-factor authentication systems to ensure successful credential theft. The Bankosy Trojan for Android is one such example, as it was designed to make even 2FA systems that use voice calls ineffective.

Cybercriminals behind financial Trojans used multiple attack methods, ranging from man-in-the-browser attacks to redirections, the whitepaper reveals. In terms of infection vectors, malicious emails (which included Office documents containing malicious macros as attachments) were preferred the most, followed by drive-by download sites, social engineering, and supply chain hacks, the whitepaper also reveals.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...