Top 10 Banking Malware Families

Top 10 Banking Malware Families

It is similar to the Trojan horse from the legend of Troy in that a banking institution. Banking malware aims to gain access to confidential information from online banking systems.

Banking malware masquerade as harmless applications while attempting to steal information and avoid detection by “having dormant capabilities, hiding components in other files, forming part of a rootkit, or using heavy obfuscation.”

The term malware is a general one, it is the short version for malicious software and refers to “software that is defined by malicious intent. This type of malicious software can disrupt normal computer operations, steal confidential information, gain unauthorized access to computer systems, and display unwanted advertising, among other things.”

Here is our list to banking malwares

  1. Ramnit / Nimnul

Ramnit is a malware-distribution trojan family. Anti-virus suites can detect Ramnit as “Win32/Ramnit.A” or “Win32/Ramnit.B” depending on the variant. These viruses infiltrate systems without the user’s knowledge and create “backdoors” for other malware to enter the system.

As a result, its presence usually leads to additional computer infections. Ramnit has the ability to inject malicious code into “.dll,” “.exe,” and “.HTML” files. It should be noted that Ramnit infects existing files on the computer, so any existing files are corrupted. When infected files are opened, they execute code that silently downloads and installs malware on the system.

2. Zbot/Zeus

The Zeus Trojan (Zbot) is a specific Trojan virus that targets Windows computers to extract sensitive financial information. A Zbot accomplishes this through man-in-the-browser (MitB) attacks, keystroke logging (keylogging), form grabbing, and other techniques.

Zbots can also carry out CryptoLocker ransomware attacks. Zbots are distributed as email spam, via malicious social engineering, and by inserting themselves into legitimate product downloads (aka "drive-by download attacks.") When downloaded, it opens a backdoor into the machine and provides access to the larger network.

3. IcedID

IcedID shares some similarities with other banking trojans such as Zeus and Gozi (detected by Trend Micro as the ZBOT family), as well as DRIDEX, with common features such as the use of web injection and redirection techniques in its routine. Despite the similarities, analysis of IceID shows that it does not seem to borrow code from other banking trojans, which means that it is not based on existing trojans, but is new malware in its own right. IceID’s features are also likely to evolve further as its developers work on them.

4. Azorult

In 2016, it was discovered that the AZORULT malware was an information thief that also stole cookies, IDs, passwords, cryptocurrency information, and more. It has the ability to download additional malware.

It was advertised on unofficial forums in Russia as a way to obtain different kinds of private data from a compromised computer. A variant of this malware was able to set a registry key to launch a Remote Desktop Protocol (RDP) connection by creating a new, hidden administrator account on the system.

5. Trickster/Trickbot

Trickbot (also known as TrickLoader or Trickster) is a banking Trojan that was active from 2014 to 2016 and used man-in-the-browser attacks to steal banking credentials. Trickbot was discovered for the first time in October 2016. Just like Dyre, its main functionality was initially the theft of online banking data. However, its tactics and goals have evolved over time. Currently Trickbot is focused on penetration and distribution over the local network, providing other malware (such as Ryuk ransomware) with access to the infected system, though that’s not the only functionality it supports.

6. Emotet

While historically Emotet was a botnet-organized banking malware, it is now primarily recognized as a content delivery infrastructure as a service. For instance, Trickbot has been using it for installs since the middle of 2018; this may enable Ryuk-based ransomware attacks, a combination that has been repeatedly seen against high-profile targets.

The criminal organization that created it opened up another business channel by selling the infrastructure that it uses to deliver more malicious software while continuing to steal information from its victims. Malware has been categorized by analysts into epochs based on how command and control, payloads, and delivery methods evolve over time.,

7. Qakbot

A modular Trojan used to download and run binaries on a target computer is called QBOT, also known as QAKBOT. It has been active since 2007. It goes over the binary’s entire execution flow, from launch to communication with its command and control systems (C2).

The multistage, multiprocess binary known as QBOT can configure persistence, evade detection, escalate privileges, and communicate with C2 using a list of IP addresses. The C2 can upload fresh IP addresses, new fileless binaries, update QBOT, run shell commands, and upload new IP addresses.

8. Danabot

DanaBot is the latest example of malware that focuses on persistence and stealing useful information that can later be monetized rather than demanding a ransom from victims right away.

So far, the social engineering in the low-volume DanaBot campaigns we’ve seen has been well-crafted, indicating a renewed emphasis on “quality over quantity” in email-based threats. DanaBot’s modular design allows it to download additional components, increasing the banker’s flexibility and robust stealing and remote monitoring capabilities.

9. Tinba/TinyBanker

TinyBanker, also known as Tinba, is typically spread through spam email campaigns, exploit kits, and malvertising (advertising content that directs users to websites hosting malicious threats). In the United States and Europe, bank customers have reportedly been the target of Tinba.

10. Gozi

Gozi, also referred to as RM3, ISFB, Ursnif, Dreambot, CRM, and Snifula, can be regarded as a collection of malware families that share a common malicious codebase. It has a history dating back more than 14 years, making it one of the most pervasive and active Banking Trojans.

Thanks for reading!

Check out our product 👉

Follow us on Twitter and Linkedin 👇