A Brief History of Notable Online Banking Trojans

online-banking-trojanOnline banking offers a convenient way to do bank transactions without having to physically go to banks. Online banking platforms have made it so easy that even traditional paper trail bankers have embraced this method of money-managing.

However, online banking is not without risks. As much as it offers ease and convenience, online banking platforms have given fraudsters and cybercriminals a lot of new avenues to steal from unknowing users. Additionally, cybercriminals have now taken things a step further with the use of banking malware, specifically, banking Trojans, that are reaching new, alarming levels of sophistication. Attackers continuously develop new variations that are constantly being introduced in the wild to thwart detection by security solutions on a user devices.

Over the last few years, cybercriminals have improved their tools and expanded their targets in terms of scale and reach. To carry out a banking theft operation, cybercriminals need specific malware or kits that can help them get to their target. Here's a list of some of the most notable banking Trojans attackers have used and are still using:


ZBOT (a.k.a. Zeus)

ZBOT, recognized as the most notorious banking Trojan, is a malware toolkit that allows a cybercriminal to build a Trojan, or disguised malware. The ZBOT malware family is used for data theft or to steal account details. It monitors users’ browsing habits using browser window titles or address bar URLs as triggers for its attack. Variants insert JavaScript code into a legitimate bank’s web pages and gathers information via HTTP POST to remote URLs. Cybercriminals may use the obtained information to steal money directly from the victim or sell the information in underground markets. Additionally, once a PC gets infected, it can be recruited to be part of a botnet.

In 2011, ZBOT’s source code was leaked on a file-sharing site and quickly spread across underground forums. ZBOT's ensuing boom became a huge modular example for other online banking Trojans that followed. In the years that passed after the advent of ZBOT, many cybercriminals used its code and built variants or other malware families with similar capabilities. ZBOT variants have been known to display behavior that might seem “out of character” for teaming up with file infectors, while some variants were designed to generate income through a per-pay-click model.

Some ZBOT variants have adjusted their behavior to evade detection, including the use of random headers and different file extensions as well as changes to their encryption. Additionally, it also improved the way it would connect to its C&C servers and was seen using Tor and peer-to-peer networks.



The GOZI banking Trojan is a spyware that monitors traffic. With its screen capture and keylogging function, it can obtain login credentials stored in browsers and mail applications. GOZI uses rootkit component to hide related processes, files, and registry information.

In September 2015, Latvian national Deniss Calovskis pleaded guilty in a US federal court for creating and distributing the online banking Trojan GOZI. Extradited from his home country to the US in back in February 2015, Calovskis faces more than 60 years in prison for his crimes, but pleading guilty may drastically shorten it to 10 years and a hefty fine.



CARBERP is an online banking Trojan that was first seen in 2009. It is designed to steal user credentials through hooking network APIs in WININET.DLL, monitoring user browsing behavior. CARBERP logs keystrokes, spoofs websites, and deliberately drops a copy of itself in locations that do not require administrator privileges. It is characterized as a plugin-dependent malware since it relies on downloaded/embedded modules to complete its routines.

In 2012, 8 individuals involved with CARBERP’s operations were arrested by Russia’s Ministry of Affairs. However, the following year, it made a comeback with improved costly versions and mobile app variants available in the wild. It downloads new plugins to complement its information stealing routines that help a possible attacker to remotely access an infected system used to monitor Internet banking systems.


SPYEYE is notorious for stealing user information related to banking and finance websites. Its variants may be downloaded unknowingly by users when visiting malicious sites, and may also arrive through spam.

SPYEYE has rootkit capabilities that allows it to hide processes and files from users. Like other Trojans, it uses its keylogging functions to steal information. It connects to various sites to send and receive details. In 2011, a cybercriminal in Russia used SPYEYE to steal more than US$3.2 million dollars from various organizations in the United States.

In 2014, U.S. Department of Justice announced that the creator of the SPYEYE, Aleksandr Andreevish Panin (aka Gribodemon or Harderman) pleaded guilty to charges related to the creation and distribution of SPYEYE.



SHYLOCK is a spyware that attempts to replace the contact numbers of certain banks with rogue numbers that are controlled by attackers—leading infected users to divulge banking and personal information to the attackers. Users can get infected by visiting malicious sites. SHYLOCK steals sensitive online banking information, such as user names and passwords. In 2014, the National Crime Agency announced the takedown of SHYLOCK command and control (C & C) servers.


CITADEL is a banking Trojan that was first seen in 2010. The CITADEL toolkit allows attackers to customize the Trojan according to their needs and C&C infrastructure. In 2013, CITADEL made a comeback and targeted Japan users, as well as webmail services such as Gmail, Yahoo!, Japan mail, and Hotmail. These variants are well-known for stealing online banking credentials of users, directly leading to theft.



The name TINBA was derived from the combination of the words “Tiny” and “Banker”. Users get infected via Blackhole exploit kit, and are aimed primarily at users in Turkey. Using web injects, it steals user login information from websites. TINBA has also been linked to other activities such as money mules, pornographic sites, shady Web hosting, and other information-stealing malware.



KINS, peddled in the underground as “professional-grade banking Trojan”, is essentially identical to ZBOT in terms of functionality. It downloads a configuration file that has a list of targeted banks, drop zone sites, and webinject files. KINS steals online banking information such as user credentials by injecting a specific code onto the users’ browsers when they visit certain URLs in real time. KINS then shows legitimate-looking popups that asks for banking credentials and other information like social security numbers.


First spotted in August 2013, VAWTRAK arrived as a ZIP file attachment in social engineering scams, particularly spam emails disguised as package delivery notifications. It stole information stored in FTP clients, including login credentials. In May 2014, VAWTRAK was seen targeting users in Japan. This resurgence was followed by attacks of banking and financial institutions in the U.S. and Canada in 2015. The new variants seen in that time both arrived onto the user’s system through spammed mails that use shipping information and airline ticket transaction emails as bait.



This spyware sniffs network packets to steal information. It arrives in users’ systems via spammed emails and is aimed at German online users. The malware arrives as an attachment to email messages by grayware or malicious users. It also arrives as a file dropped by other malware or as a file downloaded unknowingly by users when visiting a malicious websites. Once in the system, the malware downloads component files, including a configuration file that contains information from other targeted banks. In December 2014, EMOTET ceased activity, but reappeared quickly in January 2015.


DYRE caught the security industry’s attention due to its capability to bypass SSL, a popular security measure for online banking websites. Like other online banking Trojans, it arrives at the user’s system via spammed mails with malicious attachments, with the spammed email tailored to look like a legitimate bank notification, usually with a PDF file attached. Once the malware is installed in the system, it can monitor and take screen shots of browser activities, perform man-in-the-middle attacks via browser injections, steal personal security certificates, steal online banking credentials, and track the victim’s location through STUN (Session Traversal Utilities for NAT).


First spotted in November 2014, DRIDEX is an online banking malware that steals personal information and banking credentials through HTML injections. Designed to target customers of financial and banking institutions, DRIDEX variants arrive onto the users’ systems via spammed messages in emails, which come with malicious attachments—a Microsoft Word document that contains a malicious macro code.  Once executed, the malware monitors online banking-related activities with configuration files that contain a list of banks based in Europe, Australia, UK, and the US. It then performs information theft through form-grabbing, screenshots, and site injections. DRIDEX is an evolution of the CRIDEX malware, which is based on ZBOT.

Cybercriminals use various methods and techniques to steal information. From traditional social engineering tricks like phishing to sophisticated automation techniques, here are the most common techniques cybercriminals use:

  1. Phishing – phishing is a method used to obtain sensitive user information, usually by impersonating a legitimate bank. Typically done by email, the message may look like it comes from a bank, but in reality, the malicious attachment that comes with it will lead the user to a fake website designed to steal login credentials and passwords. In 2014, a campaign called “Smash and Grab” urged users to view a “secure” message from JP Morgan. Users who click on the malicious link are asked to enter credentials for accessing accounts with JP Morgan. Whether the user complies or not, the fake site attempts to automatically install DYRE banking Trojan on their PCs.
  2. Keylogger (via spam mails) – a malware family of spyware that has the capability to capture keystrokes and send captured data to remote servers. Keyloggers also gather the host name of the affected system. It drops shortcuts pointing to its copy to enable its automatic execution at each system startup. In addition, it can also download and execute malicious files.
  3. Bypass two-factor authentication – this is done in a fairly simple manner wherein the banking malware modifies the target banks’ sites by asking for the user’s phone number first before it asks for the authentication code. The user then receives a text message that contains a link to a rogue Symbian application. Once installed, the malware intercepts all text messages from senders, specifically banks, and forwards them to a separate number under the control of the attacker. With all credentials in the attacker’s possession, he can now use these to steal from the user or conduct other malicious activities.
  4. Automatic Transfer System – instead of merely passively stealing information, ATSs allow cybercriminals to instantly carry out financial transactions that could deplete the user’s bank accounts without their knowledge. Cybercriminals no longer need the user’s login credentials as ATSs allow the former to automatically transfer funds from the victim’s accounts to theirs without leaving a trace of their presence.
  5. DNS changer malware – the malware is used to tamper with the router and its DNS settings, redirecting users to malicious versions of legitimate banking or financial websites. By intercepting the web pages, cybercriminals could steal users’ account credentials, PIN numbers, passwords, etc.
  6. Man-in-the-browser (MitB) – MitB attacks infects the user’s device and injects new HTML code into web pages served by the web server and captures information directly from the browser memory. Some MitB injects additional fields to the login page to obtain additional information from the victims.

The Underground: What’s for sale?

Recent years have seen a lot of changes on how toolkits and exploits are used. The Blackhole Exploit Kit, for example, will not provide you the kit but will instead install it on a server and use ioncube to encode PHP files to secure its creation. Nowadays, it is quite rare to be able to buy a kit with a good infection rate, unless you want to use an older version. In Latin America, cybercriminals no longer use hijacked servers to host C&C servers, spam tools, and other malicious activities; instead they use their “own” datacenters around the world. Furthermore, to avoid Google’s indexing radar, they don’t register any hostname/domain for these servers and use only IP addresses instead.

In 2013, a Computer Science college student whose underground name was Filho de Hakcer (Portuguese for hacker’s son, but misspelled) now known as Lordfenix, started creating online banking Trojans. He has since then continued to develop and sell banking Trojans, racking up to more than 100 different banking Trojans that cost roughly US$320. Lordfenix remains the latest online banking malware creator in a string of young and solo cybercriminals today.

Last June 2014, the FBI announced that an international effort had seized the activities of peer-to-peer (P2P) variant of ZBOT known as “Gameover”, a variant that is well-known for its resilience to takedowns. Based on Trend Micro’s investigation, Gameover was not sold to individuals, but are instead privately operated. This means only one Gameover is running, compared to the multiple botnets that power ZBOT variants.

What can users do?

  • Know your bank’s policies. If you receive a suspicious online banking notification, verify with your bank before responding to any emails.
  • Get rid of emails that sport links and/or attachments. They are most probably malicious emails that could download an online banking Trojan on your system.
  • If you suspect malware activity, change your online banking passwords and other login credentials immediately, and inform your bank about any fraudulent transactions. Do the same for any account that you may have accessed using your infected system.
  • Install a security solution that covers email in its protective scope.
  • Stay away from social media posts or ads that pertain to banking or financial notifications. Cybercriminals take advantage of the ubiquitous nature of social media platforms and prey on unknowing users.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.