Three things to know about banking trojans

The failures of three large banks earlier this year sent shockwaves through the public. A banking crisis makes (almost) everyone nervous, which in turn creates new opportunities for social engineering, phishing, and other attacks designed to get your money. One attack we haven’t covered yet is the banking Trojan, which is a very interesting and dangerous type of malware.

The number of banking Trojans in the wild is growing rapidly, and many of them are getting more sophisticated. Trojans are distributed to desktop systems and mobile devices through app stores, email attachments, compromised websites, and other methods that trick the user/victim into agreeing to the installation. For example, you may find an app in the Google Play Store that appears to be the mobile app for your bank. It has the proper logo and the name, and it looks legitimate. Unfortunately, this app is an Android mobile banking Trojan that is impersonating the real mobile app. It won’t be long before this application is found and removed from the Google Play Store, but you install it and grant all requested permissions before that happens. Now you have a malicious app on your smartphone, stealing all the sensitive data it can find.

What is a banking Trojan?

A Trojan (short for ‘Trojan horse’)  is a type of malicious software that appears to be useful but carries out harmful attacks in the background. Trojans are designed for different functions, like stealing data or enabling remote control of a system. Many modern Trojans perform dozens of functions, so many of these different types will overlap, and the distinction isn’t as important as it once was. However, the banking Trojan is identified as such because it is created with the capabilities necessary to steal money from online accounts.

As mentioned earlier, the user/victim who installs the Trojan usually thinks it is something they want.  This could be an antivirus application, a mobile game, a file manager, or even a macro-enabled attachment. It’s important to note that the victim willingly installs the application because in doing so, the victim grants whatever system permissions the app requests. The Trojan then exploits these system permissions to carry out attacks and evade detection.

Over the years, threat actors have adapted their malware to new system designs, stronger bank security features, and the many different applications that people use on their phones and desktops.  Threat actors have continued to improve their attacks and add new capabilities so the Trojan can be more effective in stealing data and hiding its activities.

Tools of the trade

Banking Trojans will steal information that is stored in or transmitted through system. This requires the Trojan to be capable of accessing many subcomponents in a system. The Zeus banking Trojan was the first of its kind when it was identified in the wild in 2007. It wasn’t the first infostealer malware, but it was the first Trojan to specifically target banking and other online financial data. It was also the first to ‘merge’ with a rival so the developer could move on to different things. The Zeus source code was also leaked on a hacking forum, which super-charged the development of Zeus variants.

Zeus and other banking Trojans usually have a combination of the following capabilities:

  • Establishing communications with the threat actor’s command-and-control (C&C) server in order to transmit stolen data and accept new instructions.
  • Capturing login credentials, taking screenshots, and logging keystrokes.
  • Stealing information from web browsers and Windows PStore.
  • Hijacking online banking sessions to create fraudulent transactions.

Developers keep adding new capabilities to Trojans so they can circumvent security, access more device types and subsystems, or add more capabilities like retrieving automatic updates from the C&C server. This ongoing development benefits more than just the operators of the updated malware. Source code is often copied by rival gangs, so they have ready-made malware to use while they focus their efforts on deployment and improvements/upgrades. Almost all modern Trojans are descendants of something that’s been around for many years.

The SOVA Android banking Trojan gives us a good example of how this works. Researchers have observed at least three versions of SOVA in less than two years, each with new capabilities that make the malware more effective. In October 2022, the SOVA developer added the capabilities to operate screen clicks, launch a ransomware attack, overlay a screen on other mobile apps, and communicate with a command-and-control server to get instructions. SOVA originally targeted institutions in the U.S., Russia, and Spain, but was quickly adding more countries to the list of targets. This robust development and growth caught the attention of the criminal underground and the security research communities.

A new banking Trojan called Nexus was found in the wild earlier this year, but the malware may have been active since the summer of 2022. Nexus includes parts of the SOVA source code and can perform takeover attacks against online financial accounts.  These Account Takeover (ATO) attacks are made possible by these main capabilities:

  • Stealing two-factor authentication codes from SMS messages and Google Authenticator. Nexus can also activate/deactivate this capability and delete the SMS message that contains the code.
  • Harvesting certain types of information from crypto wallets, such as the balance of an account and the wallet seed phrase/master password.
  • Stealing cookies from targeted websites. Cookies include data like the login state, website preferences, personalized content, etc. The websites are related to the financial institutions that the Trojan is designed to attack.
  • Running keylogging and overlay attacks to steal user credentials. A Keylogging attack will record your keystrokes as you type and send this data to the threat actor. The overlay attack will replicate an active window over a legitimate program window. When the user enters credentials into the login form, the fake window captures the input through the keyboard or the actions on the touch screen.

SOVA developer “Sovenok” has accused a botnet operator of stealing the SOVA source code and making it available to Nexus developers. Researchers have found strong evidence to support this claim, to the point that Nexus was once identified as a new version of SOVA. Researchers have also found parts of SOVA in other banking Trojans, suggesting that the source code was made available to more than just the Nexus developers.

Any attacker with enough money can use the Nexus Trojan because it has been made available as Malware-as-a-Service (MaaS). Unlike SOVA, Nexus cannot be used against targets in Russia and the remaining CIS countries.  This is prevented by a ‘check country’ function added by the Nexus developers.

If SOVA code was stolen and used by Nexus, then this is the perfect example of how one piece of sophisticated malware can be stolen, repurposed, and made widely available to even the most inexperienced attackers.


There are several ways a device can be infected with a Trojan, and there are always more distribution methods in development. You shouldn’t consider this an exhaustive list, but it can give you an idea of how malware distribution can work.

Mobile Apps

Google Play is popular with attackers because of the huge number of users, apps, and downloads. Google has several layers of security to prevent infected apps from being uploaded, and to discover the apps if they make it into the store. However, by the time an infected app is discovered and removed, it may have been downloaded by hundreds of thousands of users. If the Trojan infects multiple apps, that specific malware could be installed on hundreds of millions of devices.

Google Play apps are often found on third-party app sites as well, and these sites might not have security procedures to discover and pull infected apps. As a result, an infected app made for Google Play could remain a threat even after it has been removed from the store.

In a similar vein, an app infected with dropper malware can download additional malware to a device. Because so many threat actors want their malware available via Google Play, there is a lucrative criminal market for Dropper-as-a-Service (DaaS) subscriptions. One example is DawDropper, which was found in seventeen Google Play apps in August 2022. The DawDropper operators do the heavy lifting to build the subscription infrastructure and get their dropper apps into Google Play, and DaaS subscribers upload their malware to the DawDropper cloud service.

Messaging and email

SMS and social media messages are also popular ways to spread Trojans and other malware. Threat actors create a message about something that needs immediate attention.  Delayed/canceled deliveries and application updates are frequently used subjects for these messages. The message typically includes a malicious link that will infect the device. This was the primary method of infection for the FluBot and Medusa banking Trojans.

Documents containing a malicious macro can also be used to spread banking Trojans. These documents are distributed through spam and phishing attacks. The attack begins when the recipient opens the document and enables the macro or clicks on a malicious link. This is one of the most common ways to infect a system with malware and was the primary method used by Dridex operators.

Compromised websites and infected software

Malicious online advertising, or ‘malvertising,’ is a common way to infect mobile and desktop devices. Criminals either create an ad that includes malicious code, they inject their malicious code into an existing legitimate ad.  The advertising networks then display these ads without knowing the ads are infected. The attack on the user begins when the web browser hits the malicious ad. The code will display malicious pop-ups asking for approval to do something (upgrade flash, show notifications, etc.), or it might just start installing malware on your system by exploiting any vulnerabilities it finds on your system. This type of attack usually involves an exploit kit that installs the banking Trojan or other malware.

Finally, you can be infected by downloading pirated software, visiting sketchy websites, or browsing a USB thumb drive you found in the parking lot. Avoid this type of thing.

Protect yourself

The best way to protect yourself from malware is to defend all attack surfaces. You can deploy one layer of protection with anti-malware software on the device, but company devices need multiple layers of defense. Barracuda Managed XDR detects threats quickly and reduces response and mitigation time. Barracuda SecureEdge delivers Secure Internet Access (SIA) to company devices, regardless of their location. Barracuda Email Protection defends against all 13 email threat types and includes forensic tools and post-delivery remediation.

Photo: Who is Danny / Shutterstock

This post originally appeared on Smarter MSP.