Stats & Trends
Jonathan Crowe
Apr 2017

Top 10 Banking Trojans for 2017: What You Need to Know


Photo by Negative Space

Ransomware may grab the headlines, but banking trojans are still silently siphoning off millions. Get the facts on the 10 financial malware families causing the most damage.

The majority of cyber crime has always been financially movitated, and for more than a decade, banking trojans have been some of the primary drivers of botnet traffic and malicious activity. The rise of ransomware over the past two years, coupled with several high-profile arrests and takedowns, has resulted in a drop in banking trojan dominance, but according to the latest reports we may be seeing a resurgence.

One third of phishing campaigns delivered banking trojans in Q1 2017.

Source: Proofpoint

Email security provider Proofpoint spotted banking trojans in 33 percent of the malicious email attachment campaigns they tracked in Q1. For context, ransomware was found in 22 percent of the campaigns they tracked.

In late March, banking trojan heavyweight Dridex suddenly sprang back to life, and in April it was spotted actively exploiting a zero-day vulnerability affecting Microsoft Word.

With banking trojan activity suddenly surging and infections continuing to spread across the globe, let's take a closer look at the 10 most active families as identified by IBM's X-Force team.

But before we dive in...

A Quick Primer on How Banking Trojans Typically Work

  • 1) Victims are infected either by a malicious email attachment or by visiting a compromised website that's been infected with an exploit kit.
  • 2) After setting up shop on the victim's device, the trojan identifies when they are visiting a banking website.
  • 3a) The trojan can use keylogging to capture the victim's basic credentials, but in order to get more sensitive information (ex: the victim's PIN), it can also use webinjects specifically designed for that particular banking site in order to add extra fields to forms, change site wording and messaging, or trigger convincing-looking pop-up forms in real-time.
  • 3b) The trojan redirects the victim to a fake website designed to mimic the legitimate one. As the victim enters in their credentials the trojan automatically enters them into the legitimate site, potentially triggering a SMS or other two-factor authentication code that the trojan can then capture via the fake website, too.
  • 4) With all the sign-in info they need to access the account, the criminals behind the banking trojan drink their victim's milkshake.

The Top 10 Banking Trojans for 2017


The Top 10 Banking Trojans for 2017 / The Shifting Panorama of Global Financial Cybercrime, IBM X-Force

1) Zeus (aka Zbot) and its variants

First detected in 2007, Zeus is still one of the most successful and prolific banking trojans in the world. Packaged as a full-service crimeware kit, Zeus initially gained widespread adoption and notoriety by providing criminals everything they need to steal banking credentials and other financial data — for the right price.

Experts estimate criminals have used Zeus and its variants to pilfer hundreds of millions of dollars from bank accounts, primarily by capturing victim credentials via keylogging and injecting additional HTML into legitimate banking sites.

In 2011, the source code for Zeus was leaked, shortly after the creator of the trojan purportedly announced his retirement. While authorities were able to crack down on much of the original operation, the source code has since enabled criminals to spawn a host of Zeus offshoots — from Citadel to the more recent Atmos. and Floki Bot.

How Zeus is spread: Primarily through drive-by-downloads and phishing campaigns.

Trajectory for 2017: Holding steady. Until we see a sustained onslaught of activity from another one of the trojans on (or off) this list, the sheer number of new and active Zeus derivatives out there make it very likely the "King of the Banking Trojans" will retain the top spot.

2) Neverquest (aka Vawtrak aka Snifula)

Neverquest first appeared in late 2013, gaining traction with distribution via the Neutrino exploit kit. Like the other successful trojans on this list, Neverquest has received multiple overhauls and updates over the years, with criminals adding features and functionality that adapted it to scale up attacks, evade detection, and go after an increasingly wide variety of targets.

Initially designed to steal information once infected victims visited a limited number of pre-designated banking sites, Neverquest quickly used victim browsing to inform and expand that list, adding more advanced webinjects configured to harvest victim information in real time from a variety of financial, social networking, online retailer, and game portal sites.

It's believed criminals used Neverquest to bank $1.6 million in fraudlent transactions on the online ticket site StubHub, alone.


Distribution of Neverquest attacks from June 2015 - June 2016. / Kaspersky

Neverquest's run appears to be at least temporarily halted, however, following the January 2017 arrest of the suspected creator in Spain. The last campaign email security provider Proofpoint observed was less than a week later. There are plenty of examples of trojans reemerging after hiatus or even similar arrests, but for the immediate time being, it's likely Neverquest will be supplanted by other trojans on this list.

How Neverquest is spread: Neverquest has a history of being delivered via the Neutrino exploit kit as well as via phishing campaigns with infected Microsoft Office documents as attachments.

Trajectory for 2017: Activity halted (for now). The last Neverquest campaign spotted by Proofpoint was January 19.

3) Gozi (aka Ursnif)

If you're looking for an example of a trojan outlasting crackdowns from both law enforcement and the competition, look no further than Gozi, one of the oldest banking trojans still active. Since its discovery in 2007, it's weathered the high-profile arrests of its creators, not to mention its source code being leaked not once, but twice.

Don't be fooled by its age, however. Gozi is still very much active, with operators recently updating it with advanced features designed to evade sandboxes and even bypass behvioral biometrics defenses by logging and mimicking the speed and cadence at which users type, move their cursors, and submit their information into form fields.

How Gozi is spread: The most recent Gozi campaigns have been distributed via personalized spear phishing emails and malicious links that bring victims to compromised WordPress sites.

Trajectory for 2017: Holding steady. With access to a large botnet serving as an active global distribution network, Gozi doesn't appear to be going anywhere anytime soon. Researchers at PhishMe saw the launch of a wide-spread Gozi campaign on April 5.

4) Dridex (aka Bugat aka Cridex)

Dridex first swept onto the scene in late 2014, riding massive waves of spam emails delivered primarily via the Necurs botnet, one of the largest networks of compromised computers in the world. By 2015, experts estimated the volume of spam carrying Dridex had reached millions of emails every day, and that the malware had caused $40 million in losses worldwide.

Despite law enforcement efforts in September 2015 that resulted in police seizing multiple Dridex servers and the arrest of the trojan's suspected developer, a new, updated version of Dridex was spotted in the wild the following January (are you picking up on a recurring theme?).

Rather than injecting additional HTML into legitimate sites to create additional pop-ups and form fields, Dridex instead leverages redirection attacks designed to send victims to malicious replicas of the banking sites they think they're visiting.

Throughout 2016 Dridex attacks peaked and plummeted largely based on Necurs traffic. The botnet has experienced several notable outages, and for much of the year Necurs was primarily used to distribute Locky ransomware, instead.

Early signs in 2017 indicate the operators behind Dridex could be gearing up for a resurgence, adding new state-of-the-art techniques such as AtomBombing to its repertoire and even taking advantage of the recently disclosed Microsoft Word zero-day vulnerability to infect new victims.

How Dridex is spread: The most recent Gozi campaigns have been distributed via personalized spear phishing emails and malicious links that bring victims to compromised WordPress sites.

Trajectory for 2017: Back on the rise. Following a nine-month lull (during which the Necurs botnet was primarily used to distribute Locky), researchers spotted a sudden spike in Dridex campaigns starting on March 30.


Are we about to experience a return to previous Dridex levels? / Proofpoint

While the spike is far from the height of previous Dridex activity levels in late 2015 and early 2016, the new campaigns suggest considerable renewed effort and investment that could move Dridex up this list.

5) Ramnit

Ramnit is another banking trojan that owes its existence to the Zeus source code leak in 2011. It originally appeared in 2010, but simply as a basic worm until its developers decided to put the webinjects and additional data-stealing capabilities found in the Zeus source code to their own use.

Over the next few years, Ramnit became increasingly active, eventually amassing an infrastructure that included a botnet of 3.2 million compromised Windows computers. The operation's growth did not go unnoticed, however, and in February 2015 Europol's European Cybercrime Centre shut down the command and control servers used by Ramnit's botnet.

Authorities never managed to track down Ramnit's creators, however, and in late 2015 the trojan began to reappear. By August 2016, security researchers were ready to call it a complete comeback. With Ramnit activity continuing to rise and spike at various points well into 2017, signs indicate the trojan is back on an upswing.

How Ramnit is spread: Ramnit has traditionally employed popular exploit kits to infect victims via drive-by-downloads and malvertising.

Trajectory for 2017: Back on the rise. According to security researcher MalwareTech, Ramnit activity has seen a steady increase in 2017.


Following a brief lull during the holidays, Ramnit activity is increasing. / MalwareTech

6) GozNym

The newest trojan on this list, GozNym is actually a hybrid of Gozi and the Nymaim downloader. It made a big splash in early April 2016 when criminals used the malware to steal $4 million from more than 24 American and Canadian banks in just a few days.

Nymaim's stealth and persistence plus Gozi's data-stealing capabilities were a powerful combination, and the resulting "two-headed beast" quickly gained traction, spreading to countries such as the US, Canada, the UK, Japan, Spain, Poland, Brazil, and Germany in just a few months.

GozNym's run was short-lived, however (at least for now). In September 2016, Cisco's Talos Team was able to reverse engineer the group's domain generation algorithm (DGA) and take down the botnets used to distribute the trojan.

Three months later, US authorities indicted Bulgarian Krasimir Nikolov in connection with the distribution of GozNym. He currently faces up to 100 years in prison.

How GozNym is spread: GozNym was most commonly distributed via phishing emails with Word documents infected with malicious macros.

Trajectory for 2017: Activity halted (for now). With its distribution sinkholed and its creator potentially spending the next century in prison, it's fair to say GozNym will likely fall out of the Top 10.

7) Tinba (aka Tiny Banker Trojan)

At just 20KB, Tinba lives up to its "tiny banker" name. It was first discovered in 2012, when it infected more than 60,000 computers in Turkey. In 2014, the source code for Tinba was leaked on an underground forum, opening up opportunities for other criminals to create their own versions. Since then, campaigns using Tinba variations have been launched in countries around the world.


Fake form injected by the Tinba banking trojan. / Avast

In some attacks, Tinba will extract company logos and formating styles from legitimate banking websites that victims are visiting to create convincing pop-up forms asking for additional credentials and sensitive information.

How Tinba is spread: Tinba has primarily been distributed via exploit kits.

Trajectory for 2017: Activity dropping. According to Kaspersky, while roughly one in five banking trojan attacks involved the use of Tinba in 2015, use of the trojan has shrunk dramatically to only 3.5 percent of attacks in 2016.

8) Gootkit

Unlike many of the banking trojans on this list, Gootkit hasn't been licensed out, nor has it had its source code leaked, allowing the criminals behind it to maintain tighter control over its continuous development and updates (even if it comes at the expense of greater distribution).

Discovered in 2014, Gootkit originally targeted a range of French financial institutions only. It has gradually expanded its operations to target UK and, most recently, Canadian banks.

In addition to extending its reach, the one thing Gootkit developers have been focused on most is integrating additional evasive features. Researchers have spotted Gootkit samples running checks for VM environments as well as adopting fileless infection techniques to help them avoid detection.

How Gootkit is spread: Recently, Gootkit has been distributed via phishing campaigns with Microsoft Office attachments infected with malicious macros.

Trajectory for 2017: On the rise. The criminals behind Gootkit continue to expand the trojan's geographic reach, with new campaigns hitting Canada in December 2016.

9) Qadars

Like the criminals behind Gootkit, the developers of Qadars have chosen to roll their trojan out slowly, targeting one or several geographic regions at a time and focusing a great deal of attention on integrating advanced evasion techniques.

Qadars has been steadily active since 2013, releasing regular updates and making improvements in its code. In addition to the standard banking trojan practice of deploying webinjects to steal victim data, it can also come packaged with SMS hijacking apps that allow it to bypass two factor authentication.

Qadars also utilizes several tricks to gain admin privileges. First, it will load code in memory in an attempt to exploit a known vulnerability (CVE-2015-1701). If that doesn't work, it will attempt to fool the victim with a fake Windows security update that triggers a user account control (UAC) prompt to complete the privilege escalation.


Fake Windows security update used by Qadars. / PhishLabs

While Qadars activity in 2016 was low compared to the other trojans on this list, researchers expect it to remain a growing threat in 2017.

How Qadars is spread: Victims are infected with Qadars primarily via exploit kits encountered via malvertising and compromised websites. Ex: In February 2017, thousands of compromised websites were discovered pointing to fake Flash Player update sites that tricked victims into downloading Qadars.

Trajectory for 2017: On the rise. The comparatively slow and steady rate of growth for both Qadars and Gootkit (combined with the takedowns of Neverquest and GozNym) should result in them both climbing up the list.

10) Rovnix

Rovnix started out as the bootkit component of the banking trojan Carberp before undergoing a revamp that involved adding functionality and stealing a page from the Dridex playbook, using macros embedded in Word docs to infect unsuspecting victims.

Those updates helped fuel a Rovnix campaign in late 2014 that infected more than 130,000 computers in the UK.

More recently, Rovnix has been spotted primarily targeting banks in Japan in what IBM researchers described as "nothing short of an onslaught." Experts theorize the criminals behind Rovnix set their sights on Japan because up till 2015 the country had seen relatively little banking trojan activity. It's yet to be seen whether the attackers will move on to another region once Japanese security tightens and/or competition heats up.

Trajectory for 2017: Holding steady. While the Rovnix assault caught Japanese banks by surprise, many now recognize the threat and are taking steps to protect themselves against it. Researchers expect Rovnix attacks will continue to be concentrated in Japan for the time being, but don't rule out another shift in geographic focus should an opportunity present itself.

Blocking Banking Trojans During Runtime

Banking trojans are built for stealth. Many have been adapted to sneak by a variety of defenses, including evading sandboxes and of course bypassing antivirus.

The best opportunity for companies to protect themselves from these attacks is to block them at runtime. Barkly prevents banking trojan infections from taking hold and doing any damage by recognizing and blocking malicious activity anytime a payload attempts to execute.

To see how Barkly customers are protected, watch how it stops a Gozi aka Ursnif attack in action:

Find out more about how Barkly provides smarter, stronger endpoint protection

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


2017 Malware Trends in Review

Learn how attacks are evolving and what to expect next.

Get my report


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends stright to your inbox.