As banking Trojans outpace ransomware, financial-services attacks regain their currency

After disruption of Necurs botnet, Emotet banker comprises a third of all malicious payloads

Such Trojans accounted for nearly 59 percent of malicious email payloads amongst the emails analysed in Proofpoint’s newly released Q1 Quarterly Threat Report. That marked the first time since mid 2016 that ransomware was not the most common payload – suggesting a shift in attack tactics as financial-services targets once again gain mindshare amongst cybercriminals.

Credential stealers and downloaders comprised most of the other payloads, making up 19 percent and 18 percent of malicious emails, respectively.

The Emotet banking Trojan – related to Dridex derivative Cridex – was the most commonly encountered payload, comprising 57 percent of all such malware and 33 percent of all malicious payloads after appearing in “large, consistent campaigns” while Panda Banker comprised nearly 31 percent of the remaining banking Trojan campaigns.

The updated figures come amidst a spate of new targeted trojans, with Proofpoint noting the ‘DataBot’ banking Trojan is being sent to Australian targets masquerading as an E-Toll account statement from NSW Roads and Maritime Services. Email scanning provider MailGuard, for its part, also reported a new banking scam that is leveraging St George Bank branding to deceive its victims.

Security firm Carbon Black has similarly seen a surge in cyberattacks against financial-services industry (FSI) targets, with 90 percent of 40 surveyed FSI CISOs confirming they had been targeted by ransomware.

Furthermore, 23 percent of respondents to that firm’s latest survey said they had experienced a counter incident response, with 44 percent of respondents saying they were concerned with the security posture of their technology service providers.

Those security postures are potentially leaving FSI firms more exposed than they would like, particularly with around 90 percent of attacks leveraging otherwise-legitimate tools like Microsoft’s Windows PowerShell and 60 percent piggybacking on Microsoft’s WMI management tool. Many ended up allowing cybercriminals to gain access to target networks through lateral movement that may last for months or longer.

The Proofpoint analysis linked the surge in banking malware to a ransomware interruption due to a recent disruption of the long-running Necurs spam botnet, which has shown remarkable resiliency and recently reappeared with new tricks for avoiding spam filters.

Slowdown in ransomware volumes had been compensated for with a broadening of the variety of other threats, including remote access Trojans (RATs), keyloggers, and other types of malware.

Financial-services CISOs need to be aware of this variety, Verizon warned upon the recent release of its latest Data Breach Investigations Report (DBIR) – which found banking Trojans occurred so frequently that it eliminated nearly 40,000 reports of such Trojans from its analysis to bring focus to other forms of malware.

Denial of service, crimeware, payment card skimmers, and miscellaneous attacks represented 82 percent of all security incidents, Verizon concluded, warning CISOs that “while you are strengthening authentication into your applications, ensure that you have controls and response plans in place for availability attacks as well.”

Some 92 percent of attacks on banking targets launched by external actors, with fully 13 percent of compromised data was internal bank information. This compared with 34 percent comprised by payment-card data and 36 percent, personal banking information.