JUNE 2, 2017

The Financial Threat Landscape

Introduction Financial malware is malicious software developed to commit any kind of financial fraud or theft. It targets financial institutions or


Financial malware is malicious software developed to commit any kind of financial fraud or theft. It targets financial institutions or end-users using online banking services. While mostly rooted in classic banking Trojans aimed at bypassing 2FA and stealing money from end-users, the world of financial malware had evolved considerably, producing more sophisticated means of cyber-heist. From Crypto-miners to SWIFT attacks, hackers keep developing methods to yield higher profits.

Below is an overview of the different types of financial malware, as well as representative variants of each type:

Banking Trojans Targeting PC End-users

Financial malware targeting users of online banking services, also referred to as banking Trojans, aim to obtain financial information and credentials and then use it to perform transactions from victims’ accounts.

The infection of victims involves numerous common attack vectors, such as Malvertising, exploits (mostly via exploit kits, e.g. Angler), spam campaigns and phishing campaigns.

Once the victim is infected, the malware uses various techniques to obtain banking credentials: keylogging, DNS cache poisoning (redirection to the attackers), screen capturing, as well as MITM (man-in-the-middle) and MITB (man-in-the-browser) attacks, while using social engineering to mislead victims into submitting personal credentials (e.g. presenting fake login forms, allegedly from legitimate banking websites).

Eventually, the harvested credentials are used to perform fraudulent transactions. The transactions can be initiated by the attacker possessing access to the victim’s account (account takeover) or committed when the victim performs a transaction himself, and the attacker leverages the session to perform additional actions / change the victim’s transaction destination.


Zeus is one of the most well-known malware families in the wild. It started spreading in 2007, and since its source code had been published in 2011, numerous variants appeared. Variants of the Zeus family are available on underground markets as a ready-to-use and easily configurable toolkit, in a form of CaaS – Crimeware-as-a-Service, a business model in which malware creators sell their product to other attackers who distribute it in their own campaigns and infrastructures.

The Trojan’s main attack vectors are spam campaigns and drive-by-downloads. The spam messages may arrive through email or social media, containing links that redirect to malicious/compromised servers, which deliver the malware. The drive-by-downloads are usually through compromised websites, in which attackers plant malicious code that executes the malware on visitors’ vulnerable hosts.

Once Zeus is installed, it opens a backdoor to its C&C server, to which it uploads the stolen data. It performs the following actions to harvest user credentials:

- URL monitoring – once the user enters a monitored URL (e.g. banking websites), the malware activates keylogging capabilities. It is also capable of injecting fake fields to these websites / popping windows, to request additional credentials.
- Password stealing from browsers’ cache, as well as FTP or POP3 accounts.
- Deleting cookies, making the user re-enter his credentials when visiting websites.

Vawtrak (Also known as Snifula or NeverQuest)

With several campaigns spotted in North America, Europe, Japan and Israel, Vawtrak is a rising financial threat. The malware is distributed via spam messages and exploits kits, or dropped by the Pony botnet. Pony is a password stealer possessing dropper capabilities, and is distributed mainly through spam messages containing malicious attachments with embedded macros.

Recent versions of Vawtrak are written in a modular structure, in which the payload contains the main module, that can download additional modules (DLLs). Each module can be downloaded from specific URLs supplied by the C&C server.

Vawtrak provides remote access to the victim’s host, through SOCKS or VNC (Virtual Network Computing – enables remote desktop sharing). It steals credentials and data such as passwords, cookies, digital certificates and screenshots.

As for evasion – Vawtrak detects security programs and abuses Windows’ Software Restriction Policies to disable their activity. Among the programs it attempts to disable, are Kaspersky, ESET, McAfee, Symantec, and more.

Banking Trojans Targeting Mobile End-Users

When it comes to mobile variants, the most commonly used capability for performing fraudulent transactions is intercepting text/voice communication with banks, as part of the 2FA - two-factor authentication process (e.g. receiving one-time passwords through text messages to confirm a transaction). The permission to access text messages or voice calls is usually given by the users, when they unknowingly install the malicious application.

Apart from the classic attack vectors (repackaged mock apps from third-party stores, Google user hacks, WiFi MitM, etc.), mobile financial malware is often masqueraded as a legitimate banking service.

Android banking malware masquerades as Flash Player

Last November, an Android banking campaign was spotted, targeting customers of major banks in the US, Germany, France, Australia, Turkey, Poland, and Austria. The malware masquerades as a Flash Player app, and upon launch, requests the user to activate device administrator privileges. The victim is then required to click “activate” or “cancel”. However, the “cancel” button actually reopens the window, and similarly to “screen-lockers”, displays a screen overlay on top of other apps. The user is left with no choice other than click “activate”, providing the malware with device administrator privileges, which prevent it from being uninstalled.

The malware targets various social media apps. When the user tries launching them, he is presented with fake forms requesting credit card information. Among the targeted apps are Facebook, WhatsApp, Skype, Twitter, Google Play and more.

The malware can harvest credentials from 94 mobile baking apps, belonging to banks from the US, Germany, France, Australia, Turkey, Poland and Austria. It can also intercept text messages, and thus, bypass 2FA.

Crypto-Mining Malware

Cryptocurrency is a digital medium of exchange, that uses encryption to secure the creation process of new units and the execution of transactions. For instance, Bitcoin is a very well-known cryptocurrency, created in 2009. It can be mined by special software that requires immense processing power. To save power and money, and mine large amounts of cryptocurrency, attackers use crypto-mining malware. Such malware is intended to abuse resources of the infected machine to mine cryptocurrency for the use of the attacker.

Mal/Miner-C mining malware

Discovered in September 2016, this malware is intended to mine Monero (XMR) cryptocurrency.

When the malware is installed, it collects information regarding the host’s CPU/GPU and downloads a document containing a list of mining pools to join. A mining pool is a collection of miners working together to reduce the volatility of their returns.

Apart from mining, this malware also possesses worm-like distribution capabilities: some of its variants use a module which attempts to connect to random IP addresses, with the aim of finding and connecting to FTP servers. Once connected, the malware copies itself to the server and looks for web files (HTML/PHP) to infect, with the purpose of further distribution. It injects the HTML/PHP files with code that generates an iframe (HTML Inline Frame Element – enables the embedding of another HTML page into the current page), embedding the malicious code copied to the server. When users visit the infected website, they’re presented with a “save file” dialog that serves the malicious files.

ATM Malware

An additional platform which is targeted by attackers is ATMs. ATM attacks are aimed at obtaining cash or credit card information from the machine. The main attack vectors for ATMs are through physical access, for example installation of PIN cameras, or malware infection using a USB. However, ATMs are commonly based on Windows, often outdated or unpatched versions, which makes them vulnerable to several other attack vectors, especially when other parts of the network have been compromised.


This recently discovered malware family is meant to dispense cash stored in ATMs.

Upon installation (which is likely through USB / CD-ROM), the malware verifies it’s running on an ATM, by checking the presence of an XFS (Extensions for Financial Services) environment. It does so by searching for the following registry keys: “HKLM\SOFTWARE\XFS”, “HKLM\SOFTWARE\XFS\TRCERR”.

Ifoperator panel the keys aren't found, it terminates itself. Otherwise, the attacker can input three different PIN codes that lead to different commands: exit, uninstall, or open the “operator panel” to dispense cash. To deal with withdrawal limitations when dispensing cash, the malware displays the stored levels of cash on the operator panel, and dynamically updates them when dispensing cash, so that the attacker is aware once he’s close to emptying the ATM’s cassettes.

 Malware Targeting Financial Institutes

Cyber-criminals can always be found where the money is. While attacks on large financial institutes require more sophisticated malware than attacks on end-users, these attacks are potentially much more profitable. Consequently, the financial sector remains one of the most highly targeted sectors.

SWIFT Attacks

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a provider of international financial messaging services. It enables financial institutions in more than 200 countries to send and receive information about financial transactions, and is therefore a lucrative target for hackers.

One of the most severe SWIFT attacks of all times is the theft of $81 million from the Bangladesh Bank in February 2016. The attackers compromised Bangladesh Bank’s network about a month before the transaction execution, and started obtaining information on the bank’s international payment procedures. Among the harvested information were the bank’s credentials, which the attackers used to commit the abovementioned transaction.

According to BAE Systems, a malware sample suspected to be linked to the heist was found in online malware repositories. The malware is intended to operate within an environment running SWIFT’s Alliance software suite. Its key functionality is extracting certain fields from SWIFT messages (e.g. transfer references, SWIFT addresses), which can be used to modify transactions’ details or even delete transactions, thus covering tracks. An additional evasion technique used by the malware was editing SWIFT confirmation messages sent for printing, hence preventing employees from reviewing the original confirmation of the fraudulent transactions.

However, it is still unclear how the malware infected hosts in Bangladesh Bank, or who created it. According to investigations, the intrusion might have been the result of an exploitation of a second-hand, 10$ switch, with no firewall, used in Bangladesh Bank. Nevertheless, such unsophisticated network components are even harder to investigate.

“Shamoon” Targets Saudi Central Bank

Apart from cyber-heist, financial organizations are exposed to various other types of threats, such as ransomware attacks, data leaks, or data wiping. Such attack occurred in November 2016 on Saudi Arabian Monetary Agency (Saudi Arabia's Central Bank), allegedly for political interests. The attackers used a data wiping malware named Shamoon2, which is linked to Iran, and which was already used to attack Saudi Aramco four years earlier.

shamoonShamoon overwrites the MBR (Master Boot Record) of infected hosts, making them unbootable. It accesses the MBR by abusing a commercial driver named RawDisk, by Eldos, which provides access to files, disks and partitions of disks. United States intelligence officials claim the malware is linked to Iran.

A prompt thrown by Shamoon


Even though ransomware made more headlines this past year, banking Trojans are still a major part of the threat landscape. Considering the evolvement of the CaaS phenomenon, providing attackers with accessible and easy to use toolkits, the number of attacks is expected to grow.

To stay protected, we highly recommend using strong passwords, logging out of your banking sessions, and paying attention to suspicious links and attached files arriving by email or social media channels (particularly documents requiring the user to enable macros). In addition, use endpoint protection solutions to defend against malware, and keep your operating system and other programs (especially security programs) up-to-date. As for your mobile device – avoid downloading apps from unofficial stores, and pay attention to the permissions requested by apps before their installation.


Zeus (VirusTotal):




Vawtrak (VirusTotal):




Android banking malware masquerades as Flash Playere5df30b41b0c50594c2b77c1d5d6916a9ce925f792c563f692426c2d50aa2524

Mal/Miner-C (VirusTotal)




Alice ATM malware



Samples allegedly used in the Bangladesh Bank breach:




Shamoon (VirusTotal)




All the above-mentioned samples are detected as malicious by Deep Instinct.