The Evolution of Banking Trojans

Present-day criminals needn’t hack high-end bank vaults or engage in credit card skimming to steal money. While undoubtedly benign and useful on the whole, the rapid rise of advanced IT solutions over past few years has got a flip side – it allows threat actors to take their tactics a notch further.

In domains where much of the interaction between an organization and a customer has migrated online, simply using malware suffices to do more damage than any type of physical breach. For example, banking Trojans are currently at the forefront of assaults targeting users’ bank accounts, causing multi-million dollar losses across the globe annually.

What is a banking Trojan and how has this form of malicious code evolved over time? Essentially, it is a data stealer whose modus operandi involves a great deal of social engineering. In the past, felons would simply pull off phishing frauds to dupe gullible users into disclosing their payment card credentials on rogue login pages. Accessing a victim’s e-banking account and pilfering funds from it is elementary in this scenario.

Later on, financial institutions started adopting obligatory two-factor authentication as an extra layer of defense, so scammers had to add new techniques to their repertoire. That’s when banking Trojans entered the game. Arriving at computers mostly via malicious spam, exploit kits or replicas of official software, these perpetrating programs can capture keystrokes, display genuine-looking popup forms, use web injects and reroute victims’ traffic to phony pages.

According to the latest Quarterly Threat Report released by Proofpoint cyber security firm, 33% of all malicious spam emails in Q1 2017 delivered banking Trojans, which shows an 8% increase compared to 2016. These hoaxes are on a dramatic rise, obviously.

Furthermore, in response to banks implementing the above-mentioned two-factor authentication, proprietors of financial fraud campaigns have added SMS interception modules to their arsenal in order to circumvent the new obstacle. This allows the malicious programs to capture and redirect login authentication codes to remote attackers so that they can gain access to victims’ bank accounts anyway.

Here’s a rundown on some of the top banking Trojans to date:


Also known as Zbot, this one was first spotted in the wild back in 2006, and it’s still up and running a decade later, accounting for 28% of all present-day banking Trojan attacks. The tactic of Zeus and its spinoffs, Citadel and Atmos, revolves around keylogging and injecting rogue HTML objects into legitimate banking websites. The infection is distributed via phishing and drive-by downloads.


Although Gozi, or Ursnif, is one of the oldest banking Trojans out there (discovered in 2007), it keeps wreaking havoc now in 2017. Moreover, cybercriminals behind it release regular updates of the malicious code to enhance its functionality and make it a moving target. The latest tweak has allowed Gozi to fly under the radar of sandboxing tools and mimic genuine user behavior. The Trojan is making the rounds via spear-phishing and links leading to hacked WordPress sites.


The timeline of this perpetrating program dates back to 2014. It quickly gained momentum on the banking malware arena owing to the use of the Necurs botnet for propagation. The volumes of phishing emails carrying Dridex can reach millions per day. The tactic of this Trojan mostly boils down to redirecting victims’ web traffic to fake banking pages.


This financial malware has gone through several ups and downs since its emergence in 2010. At the early stage of the Ramnit campaign, its proliferation was backed by a botnet consisting of more than 3 million compromised machines. European law enforcement was able to take down its C2 infrastructure in the course of a well-orchestrated operation in 2015. However, the Trojan resurfaced a year afterward with attacks targeting US, Canadian, UK, Australian, and Finnish banks. The main incursion vector involves exploit kits, such as Angler EK.


GozNym is a destructive fusion of the above-mentioned Gozi Trojan and a malware downloader dubbed Nymaim. It gained notoriety in 2016 when cyber crooks leveraged its malicious capabilities to steal $4 million from more than 20 US and Canadian banks in 3 days. GozNym propagates via phishing emails that dupe recipients into opening Word documents with malicious macros on board.

The most disconcerting aspect of banking Trojans’ evolution, though, is that these threats are increasingly targeting mobile users. The reason is clear: more and more people opt for using their smartphones and other mobile gadgets to shop online, and perpetrators sure keep track of the tendency.

Android infections from this species have been gaining traction so rapidly in 2017 that they are shaping up to be a game changer in the entire financial malware ecosystem. Mobile banking Trojans tend to trigger bogus overlays of popular mobile payment apps, including Android Pay. As a victim is entering their credit card information in these phishing screens, the Trojan intercepts and covertly sends it to the malicious operator.

Some mobile banking malware samples are more intelligent and effective than desktop counterparts because their impact isn’t restricted to targeting e-banking applications alone. These pests additionally zero in on credentials for social media apps so that the felons can make more victims by sending booby-trapped files to their contacts on social networks.

A lot of mobile banking Trojans have diversified their portfolio over time by displaying counterfeit overlays on top of apps used for ordering various services online, such as ones designed to book hotels and even pay traffic tickets. For example, Android Trojan called Faketoken employs man-in-the-middle techniques to pilfer payment card details from apps for booking taxis and ride-hailing. To add insult to injury, this strain also goes equipped with a ransomware component capable of encrypting data on infected devices.

Overall, the modus operandi of mainstream Android banking Trojans boils down to imitating the interfaces of popular apps that accept user payments. They contaminate devices via email, text messages, malicious advertisements, and programs downloaded from third party app stores.

To avoid financial malware targeting desktop and mobile devices, be sure to install applications only from reputable sources, refrain from opening suspicious emails, do not enable macros in Word documents received via email, and use a reliable, up-to-date security suite.

Guest article written by: David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures. Contact: Google+, Twitter, Facebook, LinkedIn.

Leave a Comment