Banking Trojans are specialized malware designed to steal financial data, such as bank card details, online banking passwords, and other sensitive information. They play a key role in carding and are often associated with other cybercrimes, including ransomware. For educational purposes, I will describe in detail the technical aspects of banking Trojans: their architecture, methods of operation, propagation, communication, detection evasion, and practical examples.
1. Architecture of banking Trojans
Banking Trojans are complex programs consisting of multiple modules, each performing a specific function. The main components are:1.1. Dropper
- Function: Delivers the main malicious code to the victim's device.
- Implementation: Can be a separate executable file (.exe), a script (.js, .vbs) or a macro in a document (e.g. Word/Excel).
- Features: Often obfuscated (e.g. using UPX packers or polymorphic techniques) to evade antivirus software.
1.2. Main Module
- Function: Performs key tasks such as data theft, code injection into browsers, and communication with the command and control (C2) server.
- Implementation: Usually injected into system processes (svchost.exe, explorer.exe) for disguise.
1.3. Data Collection Module
- Function: Collects credentials such as logins, passwords, card details, cookies, and browser history.
- Methods:
- Keylogging (recording keystrokes).
- Form-grabbing: intercepting data entered into web forms.
- Screenshots.
- Stealing files (e.g. wallet.dat for crypto wallets).
1.4. Injection Module
- Function: Injects malicious code into legitimate processes (such as browsers) to replace web pages or intercept data.
- Techniques: Web injections to fake banking pages or add input fields.
1.5. Communication Module
- Function: Communicates with the C2 server to transmit stolen data and receive commands.
- Protocols: HTTP/HTTPS, DNS, Tor, encrypted channels.
1.6. Self-propagation module (optional)
- Some Trojans (such as Emotet) can spread across the network by exploiting vulnerabilities or compromised accounts.
2. Mechanism of operation
Banking Trojans perform a sequence of actions to achieve their goals:- Penetration:
- The Trojan is delivered through phishing, exploits, compromised websites, or infected applications.
- Example: Phishing email with a malicious attachment (PDF, .docx with macros).
- Installation:
- The bootloader installs the main module into the system.
- The malware creates entries in the Windows registry (for example, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run) for autorun.
- Can be embedded into processes such as explorer.exe to disguise itself.
- Data collection:
- The keylogger records entered passwords and card data.
- Form capture intercepts data sent over HTTPS.
- Web injections replace banking pages by adding fake fields (for example, a request for a CVV code).
- Data transfer:
- The stolen data is sent to the C2 server via encrypted channels.
- Domain Generation Algorithms (DGA) are used to dynamically change server addresses.
- Additional actions:
- The Trojan can download additional modules (for example, ransomware or spyware).
- Can execute commands from a C2 server, such as deleting files or launching DDoS attacks.
- Self-removal (optional):
- After completing its task, the Trojan may remove traces of its presence to make analysis more difficult.
3. Technical aspects of data theft
Banking Trojans use several methods to steal financial data:3.1. Keylogging
- Mechanism: Intercepts keystrokes via the Windows API (SetWindowsHookEx) or kernel-level drivers.
- Purpose: Capture logins, passwords, PIN codes and other data entered by the user.
- Example: Zeus used keylogging to steal banking credentials.
3.2. Form-Grabbing
- Mechanism: Intercepts data sent via POST requests in the browser before it is encrypted with HTTPS.
- Technique: Injecting into browser processes (chrome.exe, firefox.exe) or using fake SSL certificates.
- Example: Dridex intercepted form data on banking websites.
3.3 Web Injections
- Mechanism: The Trojan modifies web pages in real time by adding fake input fields or replacing the interface.
- Technique: Uses scripts (JavaScript) to modify the DOM of the page.
- Example: TrickBot added CVV code entry fields to fake banking pages.
3.4. Cookie and Session Theft
- Mechanism: Extracts cookies from browsers to bypass authentication.
- Purpose: Gaining access to bank accounts without entering a password.
3.5. Screenshots and video recording
- Mechanism: Takes screenshots or records video while you enter data.
- Example: Gozi used screenshots to capture one-time passwords (OTPs).
4. Methods of distribution
Banking Trojans use a variety of attack vectors, many of which overlap with ransomware:4.1. Phishing
- Mechanism: Sending emails with malicious attachments (Word, Excel, PDF) or links to infected websites.
- Example: Emotet used phishing emails with macros to install a Trojan.
4.2. Exploit Kits
- Mechanism: Infection through vulnerabilities in browsers or plugins (Flash, Java) on compromised websites.
- Example: Angler Exploit Kit delivered trojans such as Gozi.
4.3. Remote Access
- Mechanism: Using weakly protected RDP or VPN with stolen credentials.
- Example: TrickBot was often penetrated via RDP.
4.4. Infected software
- Mechanism: The Trojan is embedded in pirated or counterfeit software downloaded by users.
- Example: Fake banking apps.
4.5. Self-propagation
- Mechanism: Some Trojans (Emotet) use worm-like mechanisms to spread across local networks through vulnerabilities (e.g. SMB).
5. Evading detection
Banking Trojans use sophisticated techniques to bypass antivirus software and analyze:5.1 Obfuscation and Polymorphism
- Mechanism: The Trojan code changes with each infection (polymorphism) or is encrypted to make static analysis more difficult.
- Example: Zeus used polymorphic variants to evade signature detection.
5.2. Anti-antivirus techniques
- Mechanism: Disabling antiviruses, deleting their processes or blocking updates.
- Example: Dridex terminated Windows Defender processes.
5.3. Anti-analysis
- Mechanism: The Trojan checks whether it is running in a virtual machine or sandbox and stops running if it detects an analysis.
- Example: Emotet detected debuggers and sandboxes.
5.4. Communication encryption
- Mechanism: Uses HTTPS or Tor to communicate with the C2 server.
- Example: TrickBot used DGA algorithms to generate new domains.
6. Communication with C2 servers
- Protocols: HTTP/HTTPS, DNS, Tor, I2P.
- Techniques:
- Domain Generation Algorithms (DGA) for dynamically changing C2 addresses.
- Encrypt data using AES or RSA.
- Functions:
- Transfer of stolen data (logins, passwords, cookies).
- Receiving updates or new modules.
- Executing commands (for example, running ransomware).
- Example: Emotet used HTTPS to send data to the C2 server.
7. Examples of banking Trojans
- Zeus (Zbot):
- Active since 2007.
- Used keylogging, form-grabbing and web injections.
- Targeted bank credentials.
- The source code became the basis for other Trojans.
- Recipient:
- Active since 2014.
- Initially a banking Trojan, it later became a platform for delivering ransomware (Ryuk, Conti).
- It was distributed through phishing and self-propagation in networks.
- TrickBot:
- Active since 2016.
- Uses web injections and cookie theft.
- Frequently delivers ransomware (Ryuk).
- Attacks banks and corporate networks.
- Dridex:
- Active since 2014.
- Specializes in stealing banking data through form-grabbing.
- Distributed through phishing emails with macros.
- Rope:
- Active since 2006.
- Uses web injections and screenshots.
- Often distributed through exploit kits.
8. Connection to carding and extortion
Banking Trojans are closely related to carding and extortion:- Carding:
- Trojans steal card data (numbers, CVV, names) for fraudulent transactions.
- Example: Zeus intercepted data that was then sold on darknet markets.
- Extortion:
- Trojans (Emotet, TrickBot) are used as downloaders for ransomware.
- Stolen data can be used for blackmail (double extortion).
- Infrastructure:
- Darknet markets for selling stolen data and tools.
- Phishing platforms and exploit kits common to both types of attacks.
9. Analysis and protection
9.1. Trojan Analysis
- Static analysis: Code disassembly (IDA Pro, Ghidra) to study the structure.
- Dynamic Analysis: Run in a sandbox (Cuckoo Sandbox) to observe behavior.
- Network Analysis: Traffic Monitoring (Wireshark) to Detect C2 Servers.
- Reverse engineering: Studying obfuscated code to discover algorithms.
9.2. Protection
- Antiviruses and EDR: Using solutions with behavioral analysis (CrowdStrike, Malwarebytes).
- Software update: Patching vulnerabilities in browsers and operating systems.
- Multi-factor authentication (MFA): Protect against credential theft.
- User Training: Recognizing Phishing and Suspicious Attachments.
- Network segmentation: Limiting the spread of the Trojan.
- Transaction monitoring: Banks can identify suspicious transactions.
9.3. Recovery
- Removing a Trojan using antivirus software.
- Change all passwords and enable MFA.
- Monitoring bank accounts for unauthorized transactions.