Stats & Trends
David Bisson
Oct 2018

The Top 10 Banking Trojans in 2018: What You Need to Know


Photo by Neil Girling

Move aside, ransomware. Banking trojans are now the most prevalent malware payload in email attacks. Here are details on the 10 most active families causing the majority of damage.

For years, crypto-ransomware was the payload of choice for financially motivated attackers. It became the top malware threat in the third quarter of 2016 and held onto the prominence for a year and a half. But then things changed. After ransomware dominated the headlines in 2017, many companies implemented anti-ransomware measures on their systems. As discovered by Comodo Cybersecurity in its First Quarter 2018 Threat Report, this concerted effort paved the way for crypto-mining malware to overtake ransomware as the top threat.

That’s not all that happened in Q1 2018. Proofpoint also observed a surge in banking trojans, which accounted for 59 percent of all malicious email payloads.

Ransomware rebounded slightly in the second quarter of 2018. This growth caused a commensurate drop in financial malware activity. Nevertheless, banking trojans maintained their dominance at 42 percent of the email malware payloads detected by Proofpoint in Q2.

Given the increase in banking trojan activity, it’s important to examine some of the leading financial malware families that are causing the most damage. We’ll get to that in a moment. But first, here’s a quick primer on how banking trojans work.

What are banking trojans?

Malware designed to gain access to financial accounts primarily via stealing login credentials and hijacking online banking sessions. 

Recently, the lines between banking trojans and other malware have began to blur, however. For example, many banking trojans are now leveraging their foothold on compromised machines to distribute other payloads, including other banking trojans, as well. Therefore, a single infection can often involve multiple strains of malware, and it can be difficult to tell exactly what's responsible for what. This has corresponded with a larger trend that has seen malware become increasingly modular and specialized, overall. 

How do banking trojans work?

Attackers typically infect a victim with financial malware by tricking them into opening a malicious email attachment or visiting a website that’s been compromised with an exploit kit. From there, the trojan configures itself on the infected device, harvests information, and waits until the victim visits a banking website. At this juncture, the banking trojan uses one of two methods to steal victims’ credentials.

  1. It uses a keylogger to capture victims’ usernames and passwords and/or employs webinjects to add extra fields to forms on banking websites, change messaging on those forms, or create convincing pop-up forms in real-time. These methods of attack enable the banking trojan to steal even more sensitive information including a victim’s PIN.

  2. It redirects the victim to a fake website that appears similar if not identical to the legitimate domain. When the victim falls for the ruse and enters their credentials, the trojan captures those details and submits them into the legitimate site. This process might trigger an SMS-based authentication code. Assuming the user proceeds with authentication, the trojan can capture this code as well through the fake website.

The banking trojan completes its data theft by redirecting the victim to the legitimate site’s sign-in page. By now, the malware has stolen all the information it needs for the attacker to authenticate themselves on the victim’s bank account. Digital attackers can then leverage that access to do whatever they want with their victim’s hard-earned savings.

The top 10 banking trojans in 2018


Source: Proofpoint Q2 2018 Threat Report


1) Panda Banker (Zeus)

In February 2016, Fox IT InTELL discovered an offshoot of the Zeus banking trojan. Proofpoint soon observed the same malware in three targeted attacks using email attachments as well as campaigns involving at least three exploit kits. Publishing their findings, Proofpoint researchers named the malware “Panda Banker.”

Since its discovery, Panda Banker has primarily targeted financial organizations in the United States, Canada, Australia, Italy, and Germany. This changed in February 2018 when the malware started going after Japanese organizations. According to F5, its list of acceptable targets also expanded to include other types of entities including social media giants, technology providers, and cryptocurrency exchanges.

How Panda Banker is distributed: Panda Banker is often distributed via malspam delivered by botnets. It was also recently seen being spread by Emotet and Hancitor malspam campaigns.

Trajectory for 2018: On the rise.

2) Emotet


Emotet activity April 2018 - September 2018. Source: Malwarebytes

Emotet has been around since at least 2014 when a threat actor called Mealybug began using it to spread other banking trojans. Today, Mealybug still uses this advanced, modular malware and distributes it via fake documents such as invoices, PayPal receipts, or shipping notifications to download other threats on infected machines. US-CERT went so far as to call Emotet “among the most costly and destructive malware,” with a single infection costing organizations $1 million on average to remediate.

How Emotet is distributed: Emotet relies on spam campaigns for distribution. It also hijacks victim email accounts to send spam to their contacts, so it looks like it’s coming from contacts whom recipients know and trust.

Trajectory for 2018: On the rise and switching to distribution for other banking trojans.

3) URLZone (Bebloh)

For nearly a decade, security researchers have needed to contend with URLZone, and this malware is still alive and kicking. Cylance researchers spotted new attack campaigns leveraging the threat between February and April 2018. In those incidents, URLZone’s operators used phishing campaigns to trick recipients into clicking attachments that download the malicious payload. They then relied on additional features of the malware including process hollowing in order to evade detection and download additional threats.

How URLZone is distributed: URLZone primarily relies on malspam campaigns for distribution. In a recent case, researchers spotted the Cutwail botnet spreading this threat.

Trajectory: On the rise.

4) Ursnif (Gozi)


Small businesses targeted by localized Ursnif campaigns in August 2018. Source: Microsoft

As we noted in last year’s roundup, Ursnif aka “Gozi” has been around since at least 2007. It’s weathered numerous events that would have disrupted any other malware family in that span of time, and may have actually grown stronger because of them.

In the first quarter of 2018, Ursnif became the most prevalent financial malware detected by IBM X-Force, accounting for 28 percent of the pie. The malware didn’t get to that position by targeting just large companies, either. According to Microsoft, its handlers have used highly localized campaigns to prey upon small businesses, too. In addition, the criminals behind Ursnif have adapted their operations to offer distribution for other banking trojans, as well.  

How Ursnif is distributed: At this time, Ursnif relies on targeted malspam email campaigns that come with macro-laced document attachments. The Grandsoft exploit kit is also a documented delivery vector for this threat.

Trajectory: In slight decline.

5) TrickBot


Typical TrickBot attack pattern. Source: Barkly

This banking trojan has only been around since 2016, but it’s evolved considerably in such a short period of time. In the spring of 2018, Webroot found TrickBot variants equipped with a module that could allow them to lock victim machines similar to ransomware. In the months that followed, attackers also outfitted the malware with a new process-hollowing technique and changed its propagation method from the client to DC. They even teamed up with the developers of IcedID, another banking trojan on this list, in certain attack campaigns.

How TrickBot is distributed: Like most of the other threats included in this list, TrickBot reaches its victims via malspam campaigns. It also depends on Emotet for distribution.

Trajectory: On the rise.

6) IcedID

Discovered by IBM X-Force in November 2017, IcedID is still relatively new. But it’s earned a reputation in that span of time for working with other banking trojans to compromise victims. For example, Cisco Talos tracked attack campaigns in which malicious Microsoft Word documents downloaded the trojan Ursnif, which in turn downloaded IcedID. And let’s not forget the collaboration with TrickBot mentioned above.

How IcedID is distributed: Just like TrickBot, IceID uses malspam campaigns and other trojans such as Emotet and Ursnif for distribution.

Trajectory: On the rise.

7) GootKit


Fake invoice notice sent from City Sign & Graphics, LTD via a compromised MailChimp account.
Source: My Online Security 

Researchers first detected GootKit back in 2014. Since then, this threat has joined the ranks of other well-known banking trojan families including Dridex and TrickBot by switching to redirection attacks. Its most recent variants have also received numerous evasion and anti-analysis techniques, along with a new persistence method that involves Pending GPO commands.

How GootKit is distributed: GootKit has reached victims with the help of malspam campaigns, including some using docs created with the Rubella Macro Builder. It was also spread via hijacked MailChimp accounts earlier in 2018.

Trajectory: In slight decline.

8) Dridex

After a hiatus, the Necurs botnet returned with a new malspam campaign at the beginning of 2018. This operation used compromised FTP servers hosting malicious files to spread Dridex. It wasn’t long afterwards that ESET attributed BitPaymer ransomware to Dridex’s creators, which indicates that, while still active, the group appears to be interested in diversifying its efforts.

How Dridex is distributed: Consistent with years past, Dridex spreads by malspam campaigns conducted through the Necurs botnet.

Trajectory: In decline.

9) Corebot

Dridex isn’t the only threat in the field that’s taken some time off. Following a two-year break, CoreBot returned in malspam campaigns designed to steal information from customers of Canadian banking websites. This modular threat has been preying on users and their financial data since at least 2015 when it was discovered by IBM X-Force.

How Corebot is distributed: Malspam campaigns are at the heart of Corebot’s distribution. No surprises here!

Trajectory: No change.

10) TinyNuke (NukeBot)


Fake website being used to distribute NukeBot via a trojanized PDF reader. Source: BitSight

NukeBot garnered attention in March 2017 when someone claiming to be the malware author leaked the complete bot source code including a working bot, builder, and botnet control panel. Some time thereafter, researchers at Bitsight traced NukeBot to an unknown DGA and identified that attackers were using it to target banking customers in the United Kingdom and Canada.

How TinyNuke is distributed: Unlike the other banking trojans included in this list, TinyNuke reaches its victims through fake product websites or blogs promoted on social media and in ads.

Trajectory: On the rise.

Blocking banking trojans at runtime


Barkly blocks a malicious Word doc attempting to download Emotet. Source: Barkly

Banking trojans are known to evade sandboxes and bypass antivirus. Given this stealthy behavior, the best chance companies have of protecting themselves against the threats listed above is by utilizing security technology designed to block not just malicious files, but malicious activity in real time.

For example, Barkly utilizes two strong, complementary approaches that provide defense-in-depth against banking trojans:

  1. Machine learning-powered detection engines that get trained on the very latest malware samples on a nightly basis. 
  2. Behavior-based protection designed to block the fundamental tactics that today's attacks rely on (such as attempting to utilize malicious Office documents as downloaders). 

As a result, not only does Barkly block banking trojan executables, it prevents them from even touching machines to begin with. 

To illustrate the point, here's how Barkly blocks TrickBot attacks:

TrickBot-diagram-Barkly-1In addition to utilizing smarter endpoint protection, organizations can also greatly reduce their risk by adhering to the following best practices:


Learn how Barkly can help you replace your antivirus with stronger, smarter protection. 

Want to see Barkly in action for yourself? See a demo.  

David Bisson

David Bisson

David Bisson is an infosec news junkie and security journalist. He works as Senior Content Manager, Associate Editor for Tripwire's "The State of Security" blog, Contributing Editor for IBM's Security Intelligence, and Contributing Writer for Barkly, Palo Alto Networks' Security Roundtable, Gemalto, Venafi, Zix Corp, AlienVault, and others.


Don't be the last to know about new attacks

Join a group of 10,000 IT and security pros who get clear, actionable takes on malware and infosec news.



Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.