Ransomware Fades as Cybercriminals Teach Old Banking Trojans New Tricks


Ted McKendall

A new report reveals the continued renaissance of the banking Trojan, with criminals employing a plethora of new tools and tactics for maximum impact. So is your organization protected?

In its latest quarterly report, cybersecurity firm ProofPoint has found that banking Trojans accounted for 42 percent of all analyzed attacks in Q2 this year, trumping ransomware at just 11 percent.

Given the continued FBI warnings on ransomware – and high-profile attacks of 2017 through the WannaCry, NotPeyta and BadRabbit variants – that may be seen as a surprise, but the stats show that ransomware has become just another item in hackers’ rotating toolkits rather than the attack of choice.

While ransomware activity has dropped, the humble banking Trojan continues to be a persistent adversary, accounting for the vast majority of all malicious messages. Banking Trojans remained the top payload in the second quarter of 2018 by a significant margin, exceeding the next largest category, downloaders, by 17 percent. The research also found that banking Trojans are quickly evolving, resulting in a wide array of Trojan strains.

New Targets, Mobile and Cryptocurrency Show Changing Tactics

This report — along with others that have been released recently — indicates that the resurgence of the simple banking Trojan may be down to new tools and tactics.

Typically, the banking Trojan’s strategy is to convince targets to download malware through a fake link or piece of software, hence the reason Trojans often spread through phishing and spear phishing emails. As an example, the malicious link may direct a user to a genuine looking banking login page and it is here where criminals are able to steal credentials and access bank accounts.

But, according to recent reports, changes are afoot. According to Heimdal Security, attackers are increasingly developing banking Trojans to specifically target corporations, with one strain called QakBot going after banks and stock brokerages. Trojans also now occasionally embed cryptocurrency mining software and add-on modules which enable the attackers to steal cryptocurrency.

With cryptocurrency focused on maximizing profits, these other new tactics indicate a surge in efforts to improve evasion and infection with Trojans. For instance, we recently discussed how Kronos has been revived as Osiris and is now using Tor to obfuscate its C&C server, while a separate report from Kaspersky has revealed a huge spike of mobile Trojans. Over 60,000 were spotted in Q2 alone.

It’s no surprise then that Checkpoint’s survey in June revealed banking Trojans have increased their global impact by 50 percent, with two Trojan malware families entering the firm’s latest Global Threat Index’s Top 10 Most Wanted Malware.


How Banks Can Respond

Part of the problem with banking trojans is the relative ease at which they be created and distributed. These are relatively easy to write, or purchase on the dark web, and distribute to end users through compromised web pages or phishing exercises. As such, it’s little surprise that most criminal groups are still using these banking Trojans — for instance, the group behind the Emotet Trojan discovered back in 2014 — is still believed to be active today.

At Trusted Knight, we believe that banking Trojans are still omnipresent because they exploit built-in security flaws in the Windows operating system, though Microsoft has taken some steps to tighten security measures in recent years. However, unmanaged user behavior remains a challenge with endpoint security as it cannot be controlled by businesses, and many financial firms sadly still accept such attacks as the cost of doing business.

So how do you protect yourselves?

Technologically, the most logical solution is to take the fight away from the user device and onto a battleground where banks have the advantage. It is not possible to stop all user devices from being infected with malware, but if organizations can protect the transaction sessions, they can stop credentials from being taken in any useful form. In short, businesses should focus on stopping what the malware is trying to do, rather than eradicating the malware itself.

Trusted Knight’s Protector Air does precisely that – it is a cloud-based solution that defeats customer-side malware, prevents web application exploitation, and stops transactional fraud. Click the links below to find how we can help you eradicate banking Trojans as an issue once and for all.

Request a Free Trial Download Whitepaper Now