Cybercriminals almost always want your money. In the last few years, ransomware that encrypted data was a popular way to get victims to give the criminals money but that still involves the victims choosing to pay. Much more straightforward to just take the money from the victims’ bank accounts directly.

Most of the malware that is currently spread in Switzerland is spread through so-called malspam, that is, through spam e-mails that cause malware to be downloaded onto the victim’s computer. Many of these e-mails pretend to come from a trusted company or even federal offices, with the latter tactic rising in popularity particularly starting in 2017. It is therefore even more important than ever that one is careful when opening e-mails and attachments and to never allow macros to run in Office documents from such an attachment.

It is difficult to exactly measure how widespread any given malware is, as they do not conveniently answer questionnaires. Various companies and government agencies attempt to track malwares however and based on this data, this list represents the currently most relevant banking trojans in Switzerland.

Retefe

Retefe has been targeting Switzerland for years and does not show any signs of slowing down. Originally it simply manipulated the infected system’s DNS settings and installed a local root certificate, enabling it to man-in-the-middle attack any website but over the years it has become slightly more sophisticated. It still works in a very simple fashion, as that makes it hard to distinguish from legitimate modifications of the system, hiding it from antivirus software. Retefe installs a Proxy Auto-Configuration (PAC) and TOR (or uses TOR-to-web proxies), so that it can intercept and modify traffic to the targeted banks for infected users. Starting in 2017, Retefe added some capability to spread through the local network after infecting a computer by using the EternalBlue exploit, as well.

Another capability that distinguishes Retefe from other trojans is that there is an Android component as well, which users are prompted to download and install on their mobile phone and allows Retefe to intercept SMS-based mTANs. From that point on, the criminals have complete access to the victim’s bank account.

Dridex

Similarly, Dridex has been around for years and uses a similar technique to lure the infected user to a fake website. Instead of manipulating the DNS settings directly, Dridex uses DNS Cache Poisoning, however. Once on the fake website, which is made to look exactly like the original bank website, the user is prompted to log in and through additional injections is delayed long enough for the command-and-control server to check the credentials in real time. Another attack that Dridex attempts is to look for offline payment software, which companies commonly use to transfer large batches of payments to banks, and download additional malware payloads to target this software.

Ursnif / Gozi ISFB

Ursnif, also known as Gozi or Gozi ISFB is another of the usual suspects, having been around since 2009 at least. It injects itself into explorer.exe and uses named pipes (with random names) to communicate with browsers. Being built in a modular fashion, Ursnif can use multiple techniques to attack its victims. It can, for example, open a VNC connection when the user visits a certain website, allowing an attacker to watch and extract additional information. On top of spreading through malspam, Ursnif last year began to spread through malvertising, manipulated ads in online search engines that lead to infected downloads of Java or Firefox. Like Dridex, Ursnif also looks for offline payment software to attack.

Zeus and Zeus Panda

Zeus and its Panda variant also use a wide variety of methods to reach their goals. Logging keystrokes, screenshots, running a VNC client and, in newer versions, infecting phones to intercept two factor authentication are all techniques that Zeus employs. They also inject themselves into legitimate processes and hook Windows APIs, in order to manipulate browsers. Panda adds more man in the browser capabilities, including injecting overlays into websites and the ability to steal the user’s clipboard.

One of the social engineering tricks that Zeus Panda uses to get the user to reveal their credentials is to warn them that their bank account will be restricted because someone erroneously transferred money to their account and that they would have to return that money manually to lift the restrictions.

TrickBot

TrickBot targets banks with webinjects, like several others. However, it also looks to steal information from other sources like e-mails and using the Mimikatz tool to steal other credentials. On top of that, it spreads laterally through infected networks using the EternalBlue and EternalRomance exploits, reinfecting cleaned computers as long as there is an infected system and the vulnerabilities are not fixed. If all of that weren’t enough, TrickBot also targets Bitcoin wallets.

Once running, TrickBot hides itself with a technique called process hollowing. TrickBot creates a suspended process and then replaces the memory allocated to that process with memory containing code that TrickBot uses. Once that is done, the process is resumed and executes.

Ramnit

Ramnit modifies existing files on the system in order to achieve persistence but the main thing that sets it apart from others in this list is that it will scan the infected computer for credentials stored in plaintext files.

BackSwap

The newest trojan in this list, BackSwap is hard to detect and defend against, as it simulates user input and keystrokes and uses those to manipulate the victim’s browser. The way it manipulates the browser is also novel, as it uses javascript: URLs to inject Javascript directly. The manipulations it performs are not novel, however, and work similar to what Zeus and others do. Interestingly, BackSwap is often hidden in modified versions of legitimate applications, including several that are used only by technical users, like OllyDbg, 7Zip or DbgView.

emotet

If all those separate strains and tricks weren’t enough, it’s not unusual for these malwares to cooperate. Emotet, a banking trojan and information stealer in its own right, has been combined with Dridex, TrickBot, Zeus and others and it is not the only malware that has been observed cooperating. There have been examples of three malwares working together on a victim system, combining their capabilities to generate more revenue for the criminals running these trojans.

This seems to be part of a trend where the creators of malware no longer operate them themselves and instead rent or sell them to other criminals who then run the malspam and malvertising campaigns to spread the malware. The malware creators are more insulated from the risk of discovery and prosecution, allowing them to work on their code for longer and likely improving the code quality of malware.

Defending against banking malware

Of course, it is also important to talk about how to protect yourself against attacks by banking malware. The first step is keeping your software updated. Almost all of the malware requires an exploit somewhere in their way of functioning and by regularly patching your software and OS you minimize the chance of such an exploit being present on your system.

The second best defense is being careful and suspicious when reading e-mails. Training to spot phishing mails and malicious links can prevent a lot of malware from ever even reaching your system. Particulary in an enterprise setting, this can be supported by taking OS and application hardening steps that can, for example prevent any macros in Office documents from running, shutting down one of the most common infection vectors. Similarly, learning how to spot fake websites will help and is often as easy as carefully reading the URL to spot typos or strange subdomains.

Setting up two factor authentication is also valuable. Even though there are now trojans that try to circumvent it, most cannot, and even for those who can, it is an extra step to defeat, an extra step where the user can realize that something is fishy and abort. Using password managers and strong passwords also helps. If you never type your passwords because you just copy it from your password manager, keylogging will not reveal it and you are also not storing it in a plaintext file somewhere on your computer.

Antivirus software’s reputation has suffered recently and banking trojans expend a lot of effort on evading them, but nevertheless, a decent antivirus will help keep your system safe. It’s not always the newest strains of banking trojans that are being sent around and any that have been encountered before will be detected effectively by most A/V solutions. On top of that, even the newest strains occasionally get detected by antivirus software and while that requires too much luck to rely on, it’s good when it happens.

In enterprise settings, monitoring your network is another tool in the defensive toolbox. Many command-and-control servers that malware tries to contact has bizarre URLs that can be detected and blocked. Generally, it can be difficult to detect the traffic from banking malware but it is possible and using multiple defensive methods as a defense in depth is definitely a good idea.

About the Author

Mark Zeman has a Master of Science in Engineering with focus on Information and Communication Technologies at the FHNW. He was able to transform his passion of information security to his focus since 2017. During his bachelor studies he worked for an email security company. (ORCID 0000-0003-0085-2097)

Links

• https://vuldb.com/?id.98019
• https://vuldb.com/?id.98022