Three Trojans dominated the financial threat landscape in 2016 and attackers increased their focus on corporate finance departments
With all the attention ransomware is getting lately it’s easy to overlook other threats, such as those that target the financial sector and its customers. However, these types of threats are a serious and costly problem for both businesses and consumers. While financial threats tend not to get as much news coverage as ransomware, maybe because they have a less visual impact, they are far more prevalent. With over 1.2 million annual detections, the financial threat space is 2.5 times bigger than that of ransomware. Take, for example, the financial Trojan Ramnit (W32.Ramnit) whose total number of detections for 2016 approximately equaled all ransomware detections combined.
Although we have seen a 36 percent decrease in global detection numbers for financial malware in 2016, this can be mainly attributed to earlier blocking in the attack chain and a switch to more focused attacks. But don’t be mistaken, financial threats are still profitable and therefore continue to be popular among cyber criminals. From financial Trojans that attack online banking, to attacks against ATMs, point of sale (POS) machines, and fraudulent interbank transactions, there are many different attack vectors utilized by criminals.
Three malware families ruled the financial threat space in 2016: Ramnit, Bebloh (Trojan.Bebloh), and Zeus (Trojan.Zbot), who together were responsible for 86 percent of all global detection counts. However, with disruptions caused by arrests, takedowns, and regrouping, there has been some fluctuation over the course of the year. The most notable spike was in the second half of 2016 when Trojan.Bebloh and Trojan.Snifula both began heavily focusing on 20 banks in Japan. Both threats were spread through spam emails with double extension attachments masquerading as scanned documents—earlier variants used web exploit toolkits. It is unclear why the two threats both started targeting banks in Japan at the same time; however, they seem to share a common resource for dynamic web injects, allowing attackers to manipulate web traffic on the fly.
After the dismantling of the Avalanche malware-hosting network at the end of 2016, which was used by Bebloh, we saw a sharp drop in Bebloh activity. After the arrest of the alleged author behind Trojan.Snifula in January 2017, we saw a drop in detections of Snifula as well. Both of these events lead to a decrease in detection numbers: Bebloh dropped by 66 percent from December 2016 to March 2017, and Snifula numbers dropped by 83 percent in the same time frame. Now these threats appear to have almost vanished (Figure 2).
Globally, financial institutions in the U.S. were targeted the most by the samples analyzed by Symantec, followed by Poland and Japan. However, we have seen more threats hiding the configuration file from researchers, making it more difficult to generate statistics. For example, a BlackMoon (Infostealer.Boyapki.E) variant only stores the SHA1 hash of the URL, making it difficult to find out all monitored URLs. Another observed trend is the move to redirection attacks instead of local injects. This involves the whole page being redirected to a remote site, with the traffic replacement and defrauding happening on a remote server. We even noticed an increase in old-school DNS redirection attacks.