TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Banking Trojans: A Reference Guide to the Malware Family Tree

2019-08-09 · Read original ↗

ATT&CK techniques detected

23 predictions
T1056.001Keylogging
92%
"some of the most popular web browsers. it logged keystrokes and used form grabbing techniques to steal users ' credentials. as well as being a banking trojan in its own right, it attempted to target and remove the competitive malware, zeus. spyeye originally had a “ kill zeus ” f…"
T1588.001Malware
86%
"##iminals. f5 labs also published a notable link between danabot, gozi, and tinba web injection patterns, supporting the idea that a great deal of fraud business logic is now implemented in javascript and sold to malware authors. - ramnit. this unique banking trojan started out i…"
T1588.002Tool
81%
"code was leaked, which lead to the creation of several different versions of the malware. it was leaked for a second time in 2015, which led to further modularization and development of new versions of the malware. in 2016, latvian hacker deniss calovskis was sentenced to time se…"
T1588.001Malware
80%
"may be a spinoff from the “ business club, ” an organized cybercrime gang that developed the gameover zeus botnet. a number of arrests were made in september 2015, but that did little to stop dridex. in february 2016, f5 labs published reports on the dridex botnet 220 campaign no…"
T1588.002Tool
78%
"expanded its technical capabilities by adding a layer of encryption. reportedly last seen in january 2019, 55 trickbot has some new technical updates that include the ability to grab remote application credentials. trickbot ’ s authors are showing that they ’ re still active, and…"
T1588.001Malware
74%
"running malware ; it tends to run through geographically centered campaigns, yet its techniques are constantly evolving and it continues to be dangerous. kronos. kronos is known in greek mythology as the “ father of zeus. ” kronos malware was first discovered in a russian undergr…"
T1588.001Malware
71%
"be a spin - off of the carberp banking trojan, 3 and ibm analysts also connected kronos to zeus through its compatible html injection mechanism. 4 in august 2017, marcus hutchens, the security researcher who single handedly put a halt to the wannacry ransomware outbreak, was indi…"
T1588.002Tool
67%
"the alleged authors of dyre ’ s code. 38 - trickbot. known as one of the successors to the infamous dyre botnet, trickbot continues to grow in sophistication and technique. f5 labs first reported on it as a pure banking trojan targeting the financial services industry in 2016. it…"
T1588.001Malware
67%
"took its name from the merchant of venice and contained snippets from the play in its files. 21 shylock began its campaign in 2011, capturing users ' online banking credentials and then tricking them into transferring funds to attacker - controlled accounts. it used modular, adap…"
T1204.002Malicious File
65%
"##sov ’ s arrest, however, another banking trojan, bokbot ( also known as icedid ) has been connected to the group behind vawtrak. 34 - emotet. this malware was first identified by security researchers in 2014 as a simple banking trojan. later versions of the malware evolved and …"
T1555.003Credentials from Web Browsers
61%
"some of the most popular web browsers. it logged keystrokes and used form grabbing techniques to steal users ' credentials. as well as being a banking trojan in its own right, it attempted to target and remove the competitive malware, zeus. spyeye originally had a “ kill zeus ” f…"
T1588.001Malware
57%
"cross national borders. the source code has been publicly available since 2011, and a number of variants have been developed. the original version of zeus malware worked on microsoft operating systems and was spread through spam and drive - by downloads. since then, zeus variants…"
T1588.001Malware
56%
"banking trojans : a reference guide to the malware family tree introduction f5 labs attack series education articles help you understand common attacks, how they work, and how to defend against them. what is a trojan? a trojan is any type of malicious program disguised as a legit…"
T1555.003Credentials from Web Browsers
51%
"2013, however, carberp made a comeback with improved paid versions and mobile app variants available in the wild. in 2013 carberp ’ s code and bootkit were leaked ; components of ursnif ( also known as gozi ) and citadel were also found inside. 15 carberp was adopted by the carba…"
T1588.001Malware
50%
"##ware infection, droppers are designed to install some other kind of malware onto a target system. - sample. a single example of a malware variant that is studied by engineers to determine characteristics of the malware variant. a reference guide to the malware family tree activ…"
T1185Browser Session Hijacking
50%
"some of the most popular web browsers. it logged keystrokes and used form grabbing techniques to steal users ' credentials. as well as being a banking trojan in its own right, it attempted to target and remove the competitive malware, zeus. spyeye originally had a “ kill zeus ” f…"
T1014Rootkit
50%
"##gon that helps make these descriptions easier to understand : - malware family. a collection of malware that ’ s produced from the same code base. - variant. malware that ’ s built from an existing code base, but with a new signature that is not included in the list of known ba…"
T1588.001Malware
45%
"##quest or snifula, vawtrak is a descendent of the gozi banking trojan. first discovered in 2013, vawtrak was active in geographically targeted campaigns and employs a cybercrime - as - a - service business model. this is not unique to vawtrak, as other trojans, including gameove…"
T1588.001Malware
41%
"since 2017, news about citadel has slowed but, like many other banking trojans that have reemerged from dormancy, it remains an active threat. - tinba. also known as tiny banking trojan, tinba was first discovered in the wild in 2012 when it was found to have infected a number of…"
T1588.001Malware
36%
"is considered one of the most dangerous pieces of banking trojan malware. - goznym. goznym is a hybrid of gozi and nymaim. the nymaim malware itself is a dropper. it acts solely as a gateway — a delivery system for other strands of malware. goznym uses nymaim ’ s advanced stealth…"
T1588.001Malware
35%
"code was leaked, which lead to the creation of several different versions of the malware. it was leaked for a second time in 2015, which led to further modularization and development of new versions of the malware. in 2016, latvian hacker deniss calovskis was sentenced to time se…"
T1555.003Credentials from Web Browsers
33%
"adding additional banks and techniques thoroughly detailed by f5 labs. the evolution of techniques continued through august 2018 when backswap also made a geographical shift away from polish banks to exclusively target spanish banks. 50 through the latter part of 2018 and early 2…"
T1588.001Malware
32%
"##yreza, dyzap, and dyranges, dyre first emerged in 2014 targeting major online banking services. dyre is allegedly a variant of zeus malware, though no official attribution to the source code can be confirmed. 8 when dyre first emerged, it sent shock waves through the malware an…"

Summary

Learn about banking trojans, how they work, and how the various malware families continually evolve to remain virulent.