Banking Malware & Attack Vectors Outlook For 2020 (Part 1)

29.6.2020 Research

Various types of malware aimed at the finance industry fill the newspaper headline regularly. Threat actors are very active and launching attacks to harm internet users where it hurts the most – on their banking accounts.

Banks around the world have been victimized by malware for more than a decade. In fact, the first financial malware was identified in the year 2007. You may have heard of Zeus and Gozi. These are the oldest banking Trojans from which other variants have been developed over time and always modified to match the modern age.

Apart from these, nowadays, many other existing malware families are infecting both desktop and mobile devices. With an increasing number of mobile app users and financial institutions encouraging clients to use them and proclaiming better safety, less tech-savvy end-users may become an easy victim.

Now, together we will look at the current financial malware trends and outlook for the future.

Trends Among Devices

Mobile Malware on The Rise

It is no secret that Google Play Store is one of the many banking malware sources. Even though all apps undergo rigorous testing and Google is continuously trying to come up with new ways to detect malware among published apps.

Now, Google has changed the way how apps ask Android users for permissions and engaged the Google Play Protect system that analyzes the application’s code and seeking suspicious code and behavior. These measures are failing.

Every day, researches report new harmful apps, and the statistics underline it. The number of mobile app attacks increased significantly in 2019, according to our estimates, by up to more than 50% compared to the previous year. Such a number clearly shows the direction of malware creators. They put their focus on where people really are. Not to their desktops, but their mobile phones mostly.

The current trend shows that the technology landscape is changing every passing year. Within the last 7 years, mobile traffic increased by 222%.   

The last recently introduced protective measure applicable on devices with Google Account enrolled in Advanced Protection will block the majority of non-play apps from being installed on devices. In other words, 3rd party stores are now officially classified as an unreliable source.

In contrast, the interest in the Windows platform is gradually declining, which doesn’t mean the risks have been reduced significantly. Our Security Operations Center, analyzing cyber threats of our bank customers (and their end-users), noticed a growing amount of malicious software targeting MacOS, however, so far, mostly Adware and PUPs.

Multiple Monetization Techniques

The apparent trend is to maximize the monetization of all acquired resources, and we expect these tendencies to increase in 2020 logically. The infected computers become zombies and continue to be exploited by attackers, and among other activities, they are involved in the extraction of cryptocurrencies to a foreign (attacker’s) account.

There is also an increasing number of attacks on users’ crypto wallets and attempts to redirect crypto transactions. Increasingly, ransomware began targeting more significant state and financial institutions where it’s more likely to get a hefty ransom.

We anticipate even more popular ways to steal banking and financial services credentials. With the expansion of new FinTech services, we expect an increased number of attacks and new attack vectors.

Attack on Fintech Platforms

An example of this FinTech oriented trend is the Gustuff banking Trojan, which was seen in the first half of 2019. This Android malware is targeting over 100 classic financial institutions, but also various services such as PayPal or Revolut and doesn’t avoid apps for cryptocurrencies management. Malware with single service focus will soon be gone.

FDS Bypass With Fake Identities

With the gradual deployment of two-factor authentication (2FA), we can predict more attacks held to complete a fraudulent financial transaction successfully.

Cerberus, an active Android banking Trojan can steal one-time authentication codes generated through Google Authenticator. The abused weakness was reported in 2014 and once again in 2017, but it was fixed only this year. Microsoft Authenticator continues to suffer from the same problem and still has not come up with a solution.

Another banking malware, TrickBot, a desktop banking Trojan discovered as a threat to the financial industry back in 2016, collects login data through the web injection method and is responsible for attacking large numbers of banks around the world, it can even steal Bitcoin wallets. TrickBot is recently assisting to app dubbed TrickMo with bypassing 2FA by exploiting accessibility services. TrickMo can intercept SMS, one-time passwords received via push notifications, lock the screen, and prevent the user from accessing the device and giving the malware more time to act on users’ behalf. The last news about TrickMo says that it’s currently being deployed against TrickBot victims in Germany. Modifications for other regions are expected.

Tip: If you are interested in mobile banking threats, you can watch our webinar where Lukas Jakubicek, together with Luca Winter, look under the hood of fraudulent applications and examine real-world examples of mobile attacks.

The webinar shows the most common ways how to get infected by malware, pinpoints how to recognize if you have been compromised, and reveals a typical scenario that today’s mobile malware is using to bypass security measures.

Families overview

Malware Teamwork

Emotet is a standalone botnet capable of dropping additional malware into the system. Originally was used as banking Trojan, but since 2014 developed its skills in many ways. Usually spreads through spam e-mails with malicious attachments, and by using the compromised machine’s Wi-Fi connection, the malware tries to brute-force its way into other password-protected networks nearby. And, of course, to keep pace with current events, since coronavirus pandemic Emotet participates on COVID-19 themed spam (more about COVID-19 threats in our post here).

Emotet has become a dropper of TrickBot – the enemy already mentioned in the previous chapter. TrickBot also knows how to switch off Windows Defender and, apart from the collection of login data, is interested in registry keys or e-mail files. When its job is done and all data collected, it moves to the next stage as TrickBot “opens the door” to 3rd player on the scene – ransomware Ryuk.

We are facing particularly insidious combination most widespread in North America and Europe. Not long ago, the Czech government’s CERT warned against the threat of the malware combination Emotet + TrickBot + Ryuk. It is expected to slowly expand to other continents as the target of its attack changes (an example is the Australian banks’ attack in the second half of 2018).

Trojans Threatening Europe

Europe and Russia are increasingly troubled by a Windows-based Ursnif banking Trojan that steals login credentials and accesses internet banking through webinjection techniques. Over the years, it is continually evolving, although its developer was sentenced to prison. Because Ursnif code has leaked, its components can be found in other banking malware.

For the Android platform, Europe’s most significant threat appears to be the Anubis Trojan, disguised as a legitimate Google Play app. Anubis can control SMS messages, take screenshots and record audio, access contact lists and account credentials, or open URLs. With this complete control over mobile device gains access to a bank account and causes financial loss.

Tip: you can see Anubis fraudulent behavior step-by-step in the youtube video above at 16:49.

We point out that Android malware is little by little, changing its strategy to remain out of suspicion. Legitimate looking apps often act “just” as a dropper and, thanks to permissions given by the user, intend to download other malicious code from another source later, bypassing Google’s control. We expect this strategy to expand in 2020.

From Worm to Trojan-Banker

Last but not least comes into the spotlight Ramnit, Windows platform malware, which first appeared in 2010 and was broken down by Europol in 2015, caused quite a stir on the Asian continent. Now a new variant has emerged. It serves as a botnet and focuses on stealing sensitive data through banking site injection. This kind of data can include anything ranging from banking credentials, FTP passwords, session cookies, and personal data. This time strikes in North America, Europe (Italy, UK), but also in Japan.

Some of these examples above show that the webinject technique is still active and should be further investigated. Recently, a variant of infamous Zeus banking malware, called ZLoader showed that webinjects is always a good tactic when stealing credentials. And as a bonus, ZLoader takes cookies from the victim’s browser with it. Having such data allows ZLoader to eventually connect to the victims’ system remotely (without raising suspicion with a new device), and steal money using stolen credentials.

In ThreatMark, fraud analysts analyze webinjects collected on client’s websites, and they can identify and classify malware on the end-users device. This approach makes no room for any mobile malware to sneak into the device and siphon money.

Technical breakdown

The diagram below shows the most common ways, how you might get infected by malware and what are the consequences.

Banking malware attack landscape
Attack surface schema

In green, initial steps of malware action are indicated. They lead to the “primary effect” with a yellow background and ends with a “secondary effect” ending the attack vector.

In the second part of this article, we will aim at techniques of how the attacker smuggles the malicious content to your computer.

Lukáš Jakubíček
Lukáš Jakubíček  

Pre-Sales Consultant

Working for ThreatMark allows me to use my diverse set of technical and interpersonal skills I have developed for over 10 years working in the IT & Online Marketing Industry. Writing about cyber threats is only one of my duties, most of the time my colleagues and I assist and help our clients to find new and better ways on how to efficiently fight against the online fraud.

Connect me on LinkedIn Send me an e-mail

Luca Winter
Luca Winter  

SOC Analyst

As members of the SOC team, it is our responsibility to make sure our clients’ customers are well protected against various cyberthreats. Taking down malicious websites, analyzing malware, fighting against ongoing attacks - those are all things that keep us busy. Aside from responding to these threats, we also develop tools that aim to detect new threats as soon as they surface online. We’re always trying to be one step ahead of the malicious actors, which means coming up with innovative ways of trying to catch them.

Connect me on LinkedIn Send me an e-mail