A couple of weeks ago, we learned about a new phishing campaign that delivered Trickbot in an attempt to harvest the credentials of online banking customers. This latest wave targeted UK users, pretending to come from HRMC (HM Revenue & Customs). The actors exploited a vulnerability in Internet Explorer (CVE-2018-8174), for which a patch was released in May 2018. Banking trojans constitute a significant threat to banking customers and small businesses. In this blog – the second in a series on threats to financial services – we delve into the threat of banking trojans in more detail.

What is a Banking Trojan?

A banking trojan is a form of malware that seeks to collect the credentials of online banking customers from infected machines. The malware is delivered through a variety of mechanisms, exploits a range of vulnerabilities, and increasingly incorporates additional functionality.

One of the oldest variants is Zeus, a trojan first spotted in 2007 in a campaign targeting the US Department of Transportation, that has since grown in popularity. Zeus’ author reportedly retired in 2010 and the Zeus source code was leaked the following year, giving way to a swathe of alternative variants.

Trickbot is one of many banking trojans active in 2018, others include UrSnif, Dridex, Retefe and Panda. As shown below, these can be delivered in a variety of ways, including botnets (often through phishing campaigns) like Necurs and exploit kits (often drive-by downloads from a compromise website or malvertising) such as RIG. Once delivered – often through spam emails – many variants rely on users downloading malicious Microsoft Word Documents. Some variants, such as Retefe, have leveraged ETERNALBLUE (an exploit for CVE-2017-0199).

 

Variant Delivery Distribution Recent Targets Exploited Vulnerabilities
Ursnif Spam Emails Necurs Botnet; RIG exploit kit Japan; New Zealand; Australia; US; Canada; Italy CVE-2018-10730; CVE-2018-10731
Dridex Spam Emails; Malicious Microsoft Office documents Necurs Botnet; Compromised FTP servers UK, United States CVE-2017-0199
Retefe Spam Emails; Malicious Microsoft Office documents Unknown UK; Switzerland; Austria CVE-2017-0144
Trickbot Spam Emails; IcedID downloader Qtbot; RIG Exploit Kit Global CVE-2018-8174; CVE-2017-0144; CVE-2017-11882
Panda Zeus Spam Emails; Msg attachments Social media phishing; DeLoader malware dropper Japan; United States CVE-2014-1761; CVE-2012-0158

 

Table 1: Overview of most prominent banking trojans in 2018

 Protecting Yourself Against Banking Trojans

With malware developers rapidly adding new functionality to these variants, it can be challenging to keep up-to-date with the threat posed by banking trojans. However, by understanding the common ways in which the trojans are delivered and infect your machine, it can help you make more informed about security controls and patch priorities.

Organizations should look at deploying a defense-in-depth strategy to protect against initial infection and for post-infection. A strategy for defense should use a blend of technical and non-technical controls in order to be most effective. Some of the components that should be used include:

  1. Provide awareness and training for staff who may be the end users targeted by banking trojans. Staff should be made aware of the threat of banking trojans (and malware in general), how it is delivered, and information security principles and techniques.
  2. Open channels for staff to be able to report suspected phishing attempts. This should be a way for users to openly and easily report suspect emails and files, and receive validation prior to opening. This ensures that the user does not infect themselves or the organization, but can also provide security operations signatures to better protect others in the organization.
  3. Ensure operating systems, software and firmware on devices are kept patched and updated as vulnerabilities are discovered. A centralized patch management system may facilitate this process. Prioritizing recently exploited vulnerabilities, such as CVE-2018-8174, should be a focus.
  4. Use an email filtering system or service to identify phishing threats, particularly around malicious attachments. Office365 users should consider Microsoft’s Advanced Threat Protection (ATP), a cloud-based email filtering service. This will help prevent malware delivery through email phishing campaigns with malicious payloads or links.
  5. Ensure anti-virus (AV) software is installed on end-points and kept regularly updated with scans carried out regularly. Most AV solutions can be set to automatically update and scan.
  6. Manage the use of privileged accounts and ensure the “principal of least privilege” is implemented. Administrative access should be reserved only for those who require this. Those employees should only use the accounts when required and use regular user accounts for daily tasks. The principle of least privilege should also be implemented for file, directory, and network share permissions.
  7. Disable macros from Office files transmitted via e-mail. Consider using the Outlook preview pane to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.
  8. Prevent access to malicious websites, including the downloading of the malware installed during these attacks. Blocking access to the Tor network and I2P sites may also be a useful technique in blocking the malware’s command and control (C&C) communications and can help prevent the initial malware drop.

 

For finance organizations, banking trojans targeting their employees and customers will be a concern. By taking these steps, organizations and individuals can better protect their sensitive logon information.

 

Stay tuned for our future blogs on other threats to financial services.

 

To stay up to date with the latest Digital Shadows (now ReliaQuest) threat intelligence and news, subscribe to our threat intelligence emails here.