The Re-Emergence of Banking Trojans in 2017


2017 was the year in which ransomware grabbed the attention of many. Petya, NotPetya, and WannaCry, in particular, are still fresh on our minds. But with eyes on the major headlines of the past year — from the massive Equifax data breach to Uber’s embarrassing data leakage cover up — you might have missed out on another trend: the slow but steady re-emergence of banking trojans.

While banking trojans already had their peak between 2012 and 2013, hackers have once again evolved their delivery methods for distributing malware or have found new victims to target in recent years. In fact, during Q1 2017, one third of reported phishing campaigns were found to have delivered banking trojans. Despite ransomware attacks dominating the headlines, banking trojans might not be a dying trend after all. Here we look at some of the banking trojans that emerged or resurfaced during the latter half of 2017.


BankBot first appeared in the beginning of 2017 and later resurfaced in September with new tricks up its sleeves. This banking trojan managed to sneak into the Google Play store by imitating a popular game called Jewels Star. When users downloaded the illegitimate app, it prompted users to enable a fake “Google Services” accessibility permission. However, this actually gave the malware a “free hand” to carry out its attack, although it doesn’t do this right off the bat. The malware only starts abusing this permission to download other malicious apps some hours after the user activates it in order to avoid setting off any red flags. Thereafter, when users next open Google Play, the trojan would overlay it with a fake form that requested users’ credit card details. Although the malicious app has long been removed from the Google Play store, the malware infecting it, BankBot, is a prime example of how a malware creator might abuse the Accessibility Service, imitate a legitimate entity, and avoid detection by waiting patiently to launch an attack. All of these methods are growing trends among new malware.


We’ve already discussed Trickbot on our blog before, but the picky malware has evolved once again to imitate the ransomware WannaCry and Petya even more. As a recap, the banking trojan essentially used a redirection attack to deceive users into visiting a malicious site where their financial information was ultimately extracted. The attacks against banking institutions were successful, spreading and affecting users in over 24 countries. Trickbot further adapted by abusing a networking protocol called SMB (Server Message Block), the same protocol exploited by the creators behind the WannaCry and Petya ransomware attacks. In this way, TrickBot was able to develop a worm module to self-spread more easily than before. The concept of using a worm module is not all that common among other banking trojans, making Trickbot pretty unique and showing how malware creators are becoming more creative.


Ursnif is not a new banking trojan. In fact, it’s been around since 2007, but had primarily only targeted the English-speaking continents of North America, Europe, and Australia. However, when the source code was leaked, the trojan began to evolve. Late October, the banking trojan began making Japan one of its top targets, delivering the malware through spam campaigns. Unlike what you’d expect, the malware doesn’t just stick to targeting financial institutions; it is also known to target users of ecommerce sites, cryptocurrency platforms, and even webmail. Its prime techniques range from Man-in-the-browser (MITB) attacks, web injections, and session video grabbing attacks, oftentimes using exploit kits to deliver malware. With these new techniques, might we expect Ursnif to pop up in other parts of the world?


This banking trojan became active in 2015 and seemingly disappeared for two years until it re-emerged in late 2017. CoreBot returned after modifying its prime key indicators of compromise that security researchers had previously identified. These indicators of compromise are essentially red flags that indicate malicious activity early on in the attack and give clues that it may lead to a potentially compromised system. Instead of sending out spam emails containing malicious Word documents, it now sends out emails with a fake invoice message that prompts users to click on a link to view the invoice. Once this link is clicked, the malware will be downloaded and executed. Corebot is known to target Canadian banking websites and has already affected customers of RBC, Scotia Bank, and Banque Nationale. This “new” version of Corebot is still being analyzed by security experts, but initial examinations show it may have some connection with other active malware campaigns that are targeting banks.


IcedID is a new banking trojan that emerged in November 2017. Besides targeting financial institutions across North America and the UK, it also targets ecommerce sites and mobile services providers. So how does it work? Its delivery method begins with the use of a botnet to deliver malware and gain access to a vulnerable network. Then, it uses a combination of redirection and web injections to carry out its attack. IcedID is also able to propagate over a network and monitor online activity by setting up a local proxy. However, as of now, it does not seem to pose too much of a threat since it appears to lack techniques for detecting virtual machine environments, meaning the malware could still be analyzed in a sandbox application. While other banking trojans like Zeus also utilize web injection and redirection tactics, security researchers who have carefully analyzed IcedID say it does not appear to borrow code from other banking trojans, making IcedID a fairly new player in the pool of banking trojans. News about malicious apps containing malware seem like so much of a daily occurrence that we don’t even bat an eye anymore, and banking trojans are just one of the many types of malware out there. As security experts have noted, it is extremely common to see banking trojans sharing similar characteristics with one another, with hackers either copying each other or adding on new and improved features to evade detection. With the New Year quickly approaching, is it really in with the new and out with the old? Not exactly. We can expect malware to continue to be a big part of the cybersecurity challenges in 2018, especially as cybercriminals further advance their techniques and delivery methods to infect new targets.