Cybersecurity professionals have long used military metaphors to provide context in the perpetual battle against threat actors. The concept of “reconnaissance” has served as a critical function of military forces for centuries. From the first horse cavalry divisions of the Old West to the sophisticated remote-controlled drones used today, the objective has remained the same: Gather intelligence on a target without detection.
Of course, cybercriminals also boast an extensive history of using reconnaissance tools to perpetrate their own schemes. With weapons running the gamut from basic “infostealers” and form grabbers to remote access trojans, threat actors profit handsomely from reconnaissance intelligence gathering techniques. That’s why financial service leaders must study how the latest generation of banking trojans adopt new reconnaissance capabilities to infiltrate their environments—and learn what to do to keep these threats at bay.
The birth of Zeus: No myth
Banking trojans have been with us for some time now, starting, of course, with the most infamous of them all: Zeus. First observed in the wild in 2007, fragments of Zeus’ underlying architecture appear in most banking trojans today.
In its first four years of activity, Zeus inflicted more than $100 million in estimated losses, as unprepared financial institutions fell to these complex, targeted attacks.
Zeus 1.0 was one of the first malware varieties offered in an “as-a-service” model, allowing other threat actors to purchase its use as the original author earned money on a regular basis without actual involvement in the theft: almost a commission-type arrangement. Initially, Zeus was distributed primarily via spam, phishing campaigns and drive-by download attacks using exploit kits. It was also one of the first malware families to use complex web injections coupled with command and control (C2) capabilities—helping it become one of the largest botnets in history with millions of infected machines at its disposal.
Following the leak of Zeus’ source code in 2010, numerous other banking trojans emerged that featured new infostealing capabilities and sophisticated evasion techniques. While the capabilities and targets of these trojans varied, their objective was largely the same: to access confidential financial information of unsuspecting users and drain their accounts.
Today’s cybercriminals leverage a new generation of banking trojans, namely the Ursnif and TrickBot families, to go beyond steal money and user credentials. These weapons also serve as advance recon intelligence gathering tools, which help attackers to spend weeks or months undetected inside a network—and plan more lethal assaults on high value targets.
Banking Trojans 2.0: ‘The new battering ram’
While banking trojans have evolved in capabilities, the deployment method has changed little over the years. With few exceptions, banking trojans work indiscriminately via broad phishing and drive-by campaigns to cast as wide as net as possible. However, a recent webcast hosted by the non-profit SANS Institute reports that attackers use these broad campaigns to probe worthwhile corporate targets. These targets can hold a wealth of valuable information that might include employees’ personally identifiable information, legal documents, financial statements, trade secrets and more.
According to Jake Williams, founder of Rendition Infosec and a SANS Institute security analyst: “Banking trojans are the new battering ram to get into the network with the attacker looking around saying, ‘Now that I’m inside and knocked the front door down, what do I want to do from here?’ Is this compromised machine joined to a domain and what is that domain?’ ... In essence, what we’re looking at here is more advanced attacks targeting intellectual property.”
Unlike commodity infostealers often sold as a package (and based on the application sets an attacker wants to steal from, such as browsers, email clients or crypto wallets), banking trojans are significantly more complex. The latest generation employs a more sophisticated modular framework, designed for stealing banking credentials via web injects or with secondary payloads to worm into corporate networks. Again, the goal here is to conduct reconnaissance.
The TrickBot or Retefe banking trojans leverage the infamous EternalBlue Microsoft Windows exploit to move laterally through corporate intranets. The mere existence of this code—capable of traversing internal networks—suggests that while it may not be a primary objective, these and other banking trojans are being adapted to opportunistically collect intelligence on corporate targets. Through persistence, malefactors can leverage them in future attacks.
Making sense of malicious code
Among malware families, banking trojans rank among the hardest to detect. That’s because they use sophisticated packing and evasion techniques and countless variants capable of evading traditional signature-based antivirus systems. Banking trojans can also obfuscate their presence by hiding their own network traffic inside normal user traffic—making malicious log activity hard to discern from the typical user traffic patterns. Consequently, many methods security teams use to detect conventional malicious code are rendered useless.
This explains the urgency as IT professionals seek to understand and analyze how banking trojans behave—and decipher the mechanisms they use to evade early detection. What do these trojans do once inside the victim’s system? How do they steal credentials? Are they sent to a remote C2 server?
These questions and more dog security researchers as they analyze banking trojan samples such as TrickBot and Ursnif. By understanding their methods of attack, we can learn how to identify telltale signs that they have breached the network perimeter.
Putting it all together:
For all their complexity and cunning, banking trojans will only grow in sophistication as threat actors continue to apply additional evasive countermeasures. Given this mushrooming of malware with multiple points of redundancy and intentional reconnaissance capabilities, security teams must work with extra diligence to quickly identify and separate the signal of these threats from the noise flow of everyday digital traffic.
As the names Zeus and trojan might imply, cybercriminals tend to think of themselves and their malevolence in grandiose terms. It’s up to us to join the battle in unexpected and original ways, and if necessary, invoke some Trojan horse cunning of our own.
Want more Banking Strategies? Sign up for our free newsletter!
Chad Loeven is the president of VMRay Inc., an automated malware detection and analysis solutions provider.