Banking or Financial Trojans are already notorious because they have been around for a while, and they count both consumers and financial institutions among their victims. To help better defend against this class of malware, we share analyses of some recent families of financial Trojans. Nick Bilogorskiy, Cyphort's Director of Security Research, looks at the specific characteristics associated with a financial Trojan in terms of distribution channel, armoring behavior, attack payload, actors, etc in this presentation.

2. Knowing Your Enemy
What Makes A Trojan Financial?

3. Your speakers today
Nick Bilogorskiy
@belogor
Director of Security Research
Shel Sharma
Product Marketing Director

4. Agenda
o What makes a Trojan Financial
o Financial Trojans countdown
o Wrap-up and Q&A
CyphortLabsT-shirt

5. Threat Monitoring &
Research team
________
24X7 monitoring for
malware events
________
Assist customers with
their Forensics and
Incident Response
We enhance malware
detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the
security ecosystem
________
Contribute to and learn
from malware KB
________
Best of 3rd Party threat
data

6. What makes a Trojan Financial
o What they try to get:
o Direct collection theft of credit cards
o Collect of credentials for online fraud
o Fake bank communication
o Direct control over bank transfer system
o How sophisticated they are:
o Man-in-the browser: webinjects
o Evasion, armoring, anti-analysis
o Configuration file for targets
o Encrypted Command-and-Control and DGA

7. Shylock
Aka Caphaw
Enemy #8

8. Shylock Trojan
o First seen: 2011
o Target: European banks, especially UK
o Distribution: Blackhole, Cool, Magnitude,
Nuclear, and Styx Exploit Kits, spam,
malvertising via Youtube ads, Skype.
o Value Stolen: several million dollars
o Infected Users: 60,000 (Symantec)
o Actors: in Russia or Eastern Europe

9. Shylock features
o Steals financial info via man-in-the-browser
o Injects itself in svchost and explorer, uses bootkit
o VNC module to control user machine
o Spreads through skype

10. Bebloh
Aka URLzone
enemy#7

11. Bebloh Trojan
o First seen: 2009
o Target: Western Europe banks (most in Germany)
o Distribution: LuckySploit Kit, Spam mails
o Value Stolen: $7.3 Million dollars annually (just one gang)
o Infected Users: less than 30,000 (Source: Symantec)

12. Bebloh: PDF exploit

13. Bebloh Features
o Forces use of Internet Explorer
o Disables use of a proxy
o Monitors access of certain online banking sites
o AV Evasion
o Encrypted config file

14. Bebloh Trojan
o C&C comm
o Decrypted
Config
file

15. Bebloh: AV evasion

16. Vawtrak
Aka Snifula, Neverquest, Papras
enemy #6

17. Vawtrak Trojan
o First seen: August 2013
o Target: North American banks
o Distribution: Angler Kit, Kuluoz spam,
Chanitor downloader
o Value Stolen: $24 Million dollars (RT)
o Infected Users: about 100,000
o Actors: Russian Neverquest Vawtrak crew,
vorVzakone – Oleg Tolstykh (phishlabs)

18. Vawtrak Trojan
AVG

19. Vawtrak features
o Vawtrak CNC process is complex and well-hidden. The
update servers are hosted on the Tor hidden Web services,
and communication is done over SSL. Communication is
done only while the user is browsing the Internet (i.e. while
a browser produces a network traffic).
o The command and control center of the attack is located
in Russia
o Furthermore, Vawtrak uses steganography by hiding the
update lists inside favicons 4 kB favicon image files, carrying
data in the least significant bits!

20. Dridex
Aka Cridex, Bugat
enemy #5

21. Dridex Trojan
o First seen: Nov 2014
o Target: North American and European Banks
o Distribution: Spam mails with Word Documents
o Infected Users: about 29,000 (Symantec)

22. Dridex features
o Some version use p2p over http for carrying out botnet
communication
o Uses web injects to carry out man-in-browser attack
o Uses VNC
o Can act as RAT tool unlike other banking Trojan
o Uses XML based config file

23. Dyre
Aka Dyreza
enemy #4

24. Dyre Trojan
o First seen: 2014
o Target: North American Corporate Banks
o Distribution: Spam mails, by Upatre and Cutwail botnets, RIG
exploit kit.
o Value Stolen: over $1 million dollars (IBM)
o Infected Users: 90,000+ (Symantec)
o Actors: Eastern Europe
Dyre Wolf gang (FBI)

25. Dyre Trojan
www.blueliv.com
Blueliv.com

26. Dyre features
o Uses man-in-the-browser attack
o Browser Snapshot, can take pictures and grab credentials.
o Adds extra text fields required for accessing the account
o Uses SSL, DGA algorithm, 1000 domains each day for CNC
o THE PHONE CALL –ADVANCED SOCIAL ENGINEERING
o To hide its backend infrastructure, Dyre deploys a set of proxy
servers that act as C2 servers.

27. SpyEye
Enemy #3

28. SpyEye
o First seen: 2009
o Target: Mostly US
o Distribution: sold as a toolkit ranging from $500 to $8,500 depending on the
plugin. Most bot arrives through spam mails.
o Value Stolen: tens of millions of dollars (infosecurity-magazine.com)
o Infected Users: 1.4 million (FBI)
o Actor: Aleksander Panin a.k.a
Gribodemon or Harderman,
arrested in June 2013

29. SpyEye

30. SpyEye features
o Uses man-in-the-browser attack
o Configuration file is saved in encrypted format.
o Browser Snapshot, can take pictures and grab credentials.
o Only activates when the user is browsing the bank’s website
o Updates itself
o Injects into explorer.exe
Source: http://www.xylibox.com/

31. Zeus
Enemy #2

32. 32
ZEUS What is it
o First seen: 2007
o Target: All financial
institutions
o Distribution: drive by
downloads, spam
o Value Stolen: $100 Million
dollars (FBI)
o Infected Users: 4 Million+
o Actors: Russian Evgeniy
Bogachev

33. ZEUS Actors
Evgeniy Bogachev, 30, of
Anapa, Russia.
nickname “Slavik”
Gameover Zeus ringleader
Hamza Bendelladj, 24, Algerian
nickname “Bx1”
Botmaster
Arrested and extradited in 2013

34. o Steganography
o Rootkit
o Anti-Debugging
o Digital signatures
o Modular. Flexible. Persistent.
ZEUS Advanced tricks

35. Carbanak
Aka Anunak
enemy #1

36. Carbanak Trojan
o First seen: February 2015
o Target: Russia, followed by the United States, Germany,
China and Ukraine
o Distribution: targeted phishing emails
o Value Stolen: $1 Billion dollars
o Infected Users: only a thousand private customers
o Actors: China or Russia

37. Carbanak Trojan

38. Carbanak features
o APT TTP. A backdoor based on the Carberp malicious code.
o Evasion – anti-VM, sleeping, anti-debugging
o moved laterally to infiltrate administrator machines and
observed cash transfer patterns
o Steals from banks directly, not from users
o ATMs were instructed to dispense cash for money mules
o Manipulating account balances

39. Trojans map
Vawtrak Dyre
Carbanak
USA
UK
Germany
Russia
China
SpyEye
Bebloh
Shylock

40. Conclusions
o Continued activity targeting
individuals using more sophisticated
Trojans,
o Increased ransomware with blackmail
tactics for extortion,
o Increased campaigns and malware
targeting banks and clearing houses
themselves

41. Q and A
Previous
MMW slides on
www.slideshare.net/
Cyphort/

42. Thank You!
Twitter: @belogor