{ "authors": [ "Unknown", "raw-data" ], "category": "tool", "description": "A list of banker malware.", "name": "Banker", "source": "Open Sources", "type": "banker", "uuid": "59f20cce-5420-4084-afd5-0884c0a83832", "values": [ { "description": "Zeus is a trojan horse that is primarily delivered via drive-by-downloads, malvertising, exploit kits and malspam campaigns. It uses man-in-the-browser keystroke logging and form grabbing to steal information from victims. Source was leaked in 2011.", "meta": { "date": "Initally discovered between 2006 and 2007. New bankers with Zeus roots still active today.", "refs": [ "https://usa.kaspersky.com/resource-center/threats/zeus-virus" ], "synonyms": [ "Zbot" ] }, "related": [ { "dest-uuid": "0ce448de-c2bb-4c6e-9ad7-c4030f02b4d7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "e878d24d-f122-48c4-930c-f6b6d5f0ee28", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "4e8c1ab7-2841-4823-a5d1-39284fb0969a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "f0ec2df5-2e38-4df3-970d-525352006f2e", "value": "Zeus" }, { "description": "Delivered primarily by exploit kits as well as malspam campaigns utilizing macro based Microsoft Office documents as attachments. Vawtrak/Neverquest is a modularized banking trojan designed to steal credentials through harvesting, keylogging, Man-In-The-Browser, etc.", "meta": { "date": "Discovered early 2013", "refs": [ "https://www.kaspersky.com/blog/neverquest-trojan-built-to-steal-from-hundreds-of-banks/3247/", "https://www.fidelissecurity.com/threatgeek/2016/05/vawtrak-trojan-bank-it-evolving", "https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows", "https://www.botconf.eu/wp-content/uploads/2016/11/2016-Vawtrak-technical-report.pdf" ], "synonyms": [ "Neverquest" ] }, "related": [ { "dest-uuid": "e95dd1ba-7485-4c02-bf2e-14beedbcf053", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b662c253-5c87-4ae6-a30e-541db0845f67", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "f3813bbd-682c-400d-8165-778be6d3f91f", "value": "Vawtrak" }, { "description": " Dridex leverages redirection attacks designed to send victims to malicious replicas of the banking sites they think they're visiting.", "meta": { "date": "Discovery in 2014, still active", "refs": [ "https://blog.malwarebytes.com/detections/trojan-dridex/", "https://feodotracker.abuse.ch/" ], "synonyms": [ "Feodo Version D", "Cridex" ] }, "related": [ { "dest-uuid": "276c2c2e-09da-44cf-a3f7-806b3feb41da", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "44754726-e1d5-4e5f-a113-234c4a8ca65e", "value": "Dridex" }, { "description": "Banking trojan delivered primarily via email (typically malspam) and exploit kits. Gozi 1.0 source leaked in 2010", "meta": { "date": "First seen ~ 2007", "refs": [ "https://www.secureworks.com/research/gozi", "https://www.gdatasoftware.com/blog/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007", "https://lokalhost.pl/gozi_tree.txt" ], "synonyms": [ "Ursnif", "CRM", "Snifula", "Papras" ] }, "related": [ { "dest-uuid": "75b01a1e-3269-4f4c-bdba-37af4e9c3f54", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "75329c9e-a218-4299-87b2-8f667cd9e40c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "4f3ad937-bf2f-40cb-9695-a2bedfd41bfa", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "b9448d2a-a23c-4bf2-92a1-d860716ba2f3", "value": "Gozi" }, { "description": "Banking trojan attributed to Project Blitzkrieg targeting U.S. Financial institutions.", "meta": { "date": "Fall Oct. 2012 - Spring 2013", "refs": [ "https://krebsonsecurity.com/tag/gozi-prinimalka/", "https://securityintelligence.com/project-blitzkrieg-how-to-block-the-planned-prinimalka-gozi-trojan-attack/", "https://lokalhost.pl/gozi_tree.txt" ], "synonyms": [ "Prinimalka" ] }, "uuid": "71ad2c86-b9da-4351-acf9-7005f64062c7", "value": "Goziv2" }, { "description": "Banking trojan based on Gozi source. Features include web injects for the victims’ browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.", "meta": { "date": "Beginning 2010", "refs": [ "https://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature", "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", "https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak", "https://lokalhost.pl/gozi_tree.txt" ] }, "related": [ { "dest-uuid": "a171321e-4968-4ac0-8497-3250c1f0d77d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "ffbbbc14-1cdb-4be9-a631-ed53c5407369", "value": "Gozi ISFB" }, { "description": "Dreambot is a variant of Gozi ISFB that is spread via numerous exploit kits as well as through malspam email attachments and links.", "meta": { "date": "Since 2014", "refs": [ "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality", "https://lokalhost.pl/gozi_tree.txt" ] }, "uuid": "549d1f8c-f76d-4d66-a1a2-2cd048d739ea", "value": "Dreambot" }, { "description": "Gozi ISFB variant ", "meta": { "date": "Seen Autumn 2014", "refs": [ "https://lokalhost.pl/gozi_tree.txt", "http://archive.is/I7hi8#selection-217.0-217.6" ] }, "related": [ { "dest-uuid": "a171321e-4968-4ac0-8497-3250c1f0d77d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "0f96a666-bf26-44e0-8ad6-f2136208c924", "value": "IAP" }, { "description": "GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers.", "meta": { "date": "Spring 2016", "refs": [ "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", "https://lokalhost.pl/gozi_tree.txt" ] }, "uuid": "bcefac9a-a928-490f-9cb6-a8863f40c949", "value": "GozNym" }, { "description": "Zloader is a loader that loads different payloads, one of which is a Zeus module. Delivered via exploit kits and malspam emails. ", "meta": { "date": "First seen in Fall 2016 and still active today.", "refs": [ "https://blog.threatstop.com/zloader/terdot-that-man-in-the-middle", "https://www.scmagazine.com/terdot-zloaderzbot-combo-abuses-certificate-app-to-pull-off-mitm-browser-attacks/article/634443/" ], "synonyms": [ "Zeus Terdot" ] }, "related": [ { "dest-uuid": "13236f94-802b-4abc-aaa9-cb80cf4df9ed", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "2eb658ed-aff4-4253-a21f-9059b133ce17", "value": "Zloader Zeus" }, { "description": "Zeus variant that utilizes steganography in image files to retrieve configuration file. ", "meta": { "date": "First seen ~Feb 2014", "refs": [ "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", "https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/" ], "synonyms": [ "VM Zeus" ] }, "related": [ { "dest-uuid": "c32740a4-db2c-4d71-80bd-7377185f4a6f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "09d1cad8-6b06-48d7-a968-5b17bbe9ca65", "value": "Zeus VM" }, { "description": "Sphinx is a modular banking trojan that is a commercial offering sold to cybercriminals via underground fraudster boards.", "meta": { "date": "First seen ~Aug 2015", "refs": [ "https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/" ] }, "related": [ { "dest-uuid": "997c20b0-0992-498a-b69d-fc16ab2fd4e4", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "8914802c-3aca-4a0d-874a-85ac7a1bc505", "value": "Zeus Sphinx" }, { "description": "Zeus like banking trojan that is delivered primarily through malspam emails and exploit kits.", "meta": { "date": "First seen ~ Spring 2016", "refs": [ "https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market", "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf", "https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers" ], "synonyms": [ "Zeus Panda" ] }, "uuid": "f1971442-6477-4aa2-aafa-7529b8252455", "value": "Panda Banker" }, { "description": "Zeus KINS is a modified version of ZeuS 2.0.8.9. It contains an encrypted version of it's config in the registry. ", "meta": { "date": "First seen 2014", "refs": [ "https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/", "https://github.com/nyx0/KINS" ], "synonyms": [ "Kasper Internet Non-Security", "Maple" ] }, "related": [ { "dest-uuid": "07f6bbff-a09a-4580-96ea-62795a8dae11", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "bc0be3a4-89d8-4c4c-b2aa-2dddbed1f71d", "value": "Zeus KINS" }, { "description": "Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.", "meta": { "date": "First seen fall of 2014", "refs": [ "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", "https://securelist.com/chthonic-a-new-modification-of-zeus/68176/" ], "synonyms": [ "Chtonic" ] }, "related": [ { "dest-uuid": "9441a589-e23d-402d-9603-5e55e3e33971", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "6deb9f26-969b-45aa-9222-c23663fd6ef8", "value": "Chthonic" }, { "description": "Trickbot is a bot that is delivered via exploit kits and malspam campaigns. The bot is capable of downloading modules, including a banker module. Trickbot also shares roots with the Dyre banking trojan", "meta": { "date": "Discovered Fall 2016", "refs": [ "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html", "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/", "https://www.bleepingcomputer.com/news/security/trickbot-banking-trojan-starts-stealing-windows-problem-history/" ], "synonyms": [ "Trickster", "Trickloader" ] }, "related": [ { "dest-uuid": "a7dbd72f-8d53-48c6-a9db-d16e7648b2d4", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "c824813c-9c79-4917-829a-af72529e8329", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "07e3260b-d80c-4c86-bd28-8adc111bbec6", "value": "Trickbot" }, { "description": "Dyre is a banking trojan distributed via exploit kits and malspam emails primarily. It has a modular architectur and utilizes man-in-the-browser functionality. It also leverages a backconnect server that allows threat actors to connect to a bank website through the victim's computer.", "meta": { "date": "Discovered ~June 2014", "refs": [ "https://www.secureworks.com/research/dyre-banking-trojan", "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/" ], "synonyms": [ "Dyreza" ] }, "related": [ { "dest-uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "1ecbcd20-f238-47ef-874b-08ef93266395", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "15e969e6-f031-4441-a49b-f401332e4b00", "value": "Dyre" }, { "description": "Tinba is a very small banking trojan that hooks into browsers and steals login data and sniffs on network traffic. It also uses Man in The Browser (MiTB) and webinjects. Tinba is primarily delivered via exploit kits, malvertising and malspam email campaigns.", "meta": { "date": "Discovered ~Spring 2012", "refs": [ "https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/", "http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/", "https://blog.avast.com/2014/09/15/tiny-banker-trojan-targets-customers-of-major-banks-worldwide/", "http://my.infotex.com/tiny-banker-trojan/" ], "synonyms": [ "Zusy", "TinyBanker", "illi" ] }, "related": [ { "dest-uuid": "75f53ead-1aee-4f91-8cb9-b4170d747cfc", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "5eee35b6-bd21-4b67-b198-e9320fcf2c88", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "5594b171-32ec-4145-b712-e7701effffdd", "value": "Tinba" }, { "description": "Geodo is a banking trojan delivered primarily through malspam emails. It is capable of sniffing network activity to steal information by hooking certain network API calls.", "meta": { "date": "Discovered ~Summer 2014", "refs": [ "https://feodotracker.abuse.ch/", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/", "https://www.bleepingcomputer.com/news/security/emotet-banking-trojan-loves-usa-internet-providers/", "https://www.bleepingcomputer.com/news/security/emotet-returns-with-thanksgiving-theme-and-better-phishing-tricks/", "https://www.forcepoint.com/blog/security-labs/thanks-giving-emotet", "https://cofense.com/major-us-financial-institutions-imitated-advanced-geodo-emotet-phishing-lures-appear-authentic-containing-proofpoint-url-wrapped-links/" ], "synonyms": [ "Feodo Version C", "Emotet" ] }, "related": [ { "dest-uuid": "3f7616bd-f1de-46ee-87c2-43c0c2edaa28", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d29eb927-d53d-4af2-b6ce-17b3a1b34fe7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "8e002f78-7fb8-4e70-afd7-0b4ac655be26", "value": "Geodo" }, { "description": "Feodo is a banking trojan that utilizes web injects and is also capable of monitoring & manipulating cookies. Version A = Port 8080, Version B = Port 80 It is delivered primarily via exploit kits and malspam emails.", "meta": { "date": "Discovered ~September 2011", "refs": [ "https://securelist.com/dridex-a-history-of-evolution/78531/", "https://feodotracker.abuse.ch/", "http://stopmalvertising.com/rootkits/analysis-of-cridex.html" ], "synonyms": [ "Bugat", "Cridex" ] }, "related": [ { "dest-uuid": "276c2c2e-09da-44cf-a3f7-806b3feb41da", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "66781866-f064-467d-925d-5e5f290352f0", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "16794655-c0e2-4510-9169-f862df104045", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "7ca93488-c357-44c3-b246-3f88391aca5a", "value": "Feodo" }, { "description": "Originally not a banking trojan in 2010, Ramnit became a banking trojan after the Zeus source code leak. It is capable of perforrming Man-in-the-Browser attacks. Distributed primarily via exploit kits.", "meta": { "date": "Discovered ~2010.", "refs": [ "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/" ], "synonyms": [ "Nimnul" ] }, "related": [ { "dest-uuid": "8ed81090-f098-4878-b87e-2d801b170759", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "542161c0-47a4-4297-baca-5ed98386d228", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "7e2288ec-e7d4-4833-9245-a2bc5ae40ee2", "value": "Ramnit" }, { "description": "Qakbot is a banking trojan that leverages webinjects to steal banking information from victims. It also utilizes DGA for command and control. It is primarily delivered via exploit kits.", "meta": { "date": "Discovered ~2007", "refs": [ "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf" ], "synonyms": [ "Qbot ", "Pinkslipbot", "Akbot" ] }, "related": [ { "dest-uuid": "ac2ff27d-a7cb-46fe-ae32-cfe571dc614d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "b2ec1f16-2a76-4910-adc5-ecb3570e7c1a", "value": "Qakbot" }, { "description": "Corebot is a modular trojan that leverages a banking module that can perform browser hooking, form grabbing, MitM, webinjection to steal financial information from victims. Distributed primarily via malspam emails and exploit kits.", "meta": { "date": "Discovered ~Fall 2015", "refs": [ "https://securityintelligence.com/an-overnight-sensation-corebot-returns-as-a-full-fledged-financial-malware/", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf", "https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/" ] }, "related": [ { "dest-uuid": "495377c4-1be5-4c65-ba66-94c221061415", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "8a3d46db-d3b4-4f89-99e2-d1f0de3f484c", "value": "Corebot" }, { "description": "TinyNuke is a modular banking trojan that includes a HiddenDesktop/VNC server and reverse SOCKS 4 server. It's main functionality is to make web injections into specific pages to steal user data. Distributed primarily via malspam emails and exploit kits.", "meta": { "date": "Discovered ~December 2016", "refs": [ "https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/", "https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/", "https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596", "https://benkowlab.blogspot.ca/2017/08/quick-look-at-another-alina-fork-xbot.html" ], "synonyms": [ "NukeBot", "Nuclear Bot", "MicroBankingTrojan", "Xbot" ] }, "related": [ { "dest-uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "5a78ec38-8b93-4dde-a99e-0c9b77674838", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "used-by" } ], "uuid": "e683cd91-40b4-4e1c-be25-34a27610a22e", "value": "TinyNuke" }, { "description": "Retefe is a banking trojan that is distributed by what SWITCH CERT calls the Retefe gang or Operation Emmental. It uses geolocation based targeting. It also leverages fake root certificate and changes the DNS server for domain name resolution in order to display fake banking websites to victims. It is spread primarily through malspam emails. ", "meta": { "date": "Discovered in 2014", "refs": [ "https://www.govcert.admin.ch/blog/33/the-retefe-saga", "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/", "https://countuponsecurity.com/2016/02/29/retefe-banking-trojan/", "https://securityblog.switch.ch/2014/11/05/retefe-with-a-new-twist/", "http://securityintelligence.com/tsukuba-banking-trojan-phishing-in-japanese-waters/" ], "synonyms": [ "Tsukuba", "Werdlod" ] }, "related": [ { "dest-uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "80acc956-d418-42e3-bddf-078695a01289", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "87b69cb4-8b65-47ee-91b0-9b1decdd5c5c", "value": "Retefe" }, { "description": "ReactorBot is sometimes mistakenly tagged as Rovnix. ReactorBot is a full fledged modular bot that includes a banking module that has roots with the Carberp banking trojan. Distributed primarily via malspam emails.", "meta": { "date": "Discovered ~early 2015", "refs": [ "http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html", "https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under", "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/" ] }, "related": [ { "dest-uuid": "9d58d94f-6885-4a38-b086-b9978ac62c1f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "d939e802-acb2-4881-bdaf-ece1eccf5699", "value": "ReactorBot" }, { "description": "Matrix Banker is named accordingly because of the Matrix reference in it's C2 panel. Distributed primarily via malspam emails.", "meta": { "date": "Discovered ~Spring 2017", "refs": [ "https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/" ] }, "related": [ { "dest-uuid": "59717468-271e-4d15-859a-130681c17ddb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "aa3fc68c-413c-4bfb-b4cd-bca7094da985", "value": "Matrix Banker" }, { "description": "Zeus Gameover captures banking credentials from infected computers, then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the criminals. GameOver has a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin. Distributed primarily via malspam emails and exploit kits.", "meta": { "date": "Discovered ~Sept. 2011", "refs": [ "https://heimdalsecurity.com/blog/zeus-gameover/", "https://www.us-cert.gov/ncas/alerts/TA14-150A" ] }, "uuid": "8653a94e-3eb3-4d88-8683-a1ae4a524774", "value": "Zeus Gameover" }, { "description": "SpyEye is a similar to the Zeus botnet banking trojan. It utilizes a web control panel for C2 and can perform form grabbing, autofill credit card modules, ftp grabber, pop3 grabber and HTTP basic access authorization grabber. It also contained a Kill Zeus feature which would remove any Zeus infections if SpyEye was on the system. Distributed primarily via exploit kits and malspam emails.", "meta": { "date": "Discovered early 2011", "refs": [ "https://www.ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf", "https://www.computerworld.com/article/2509482/security0/spyeye-trojan-defeating-online-banking-defenses.html", "https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot" ] }, "uuid": "ebce18e9-b387-4b7d-bab9-4acd4fca7a7c", "value": "SpyEye" }, { "description": "Citadel is an offspring of the Zeus banking trojan. Delivered primarily via exploit kits.", "meta": { "date": "Discovered ~January 2012", "refs": [ "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/", "https://krebsonsecurity.com/tag/citadel-trojan/", "https://securityintelligence.com/cybercriminals-use-citadel-compromise-password-management-authentication-solutions/" ] }, "related": [ { "dest-uuid": "7f550cae-98b7-4a0c-bed2-d79227dc6310", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "9eb89081-3245-423a-995f-c1d78ce39619", "value": "Citadel" }, { "description": "Atmos is derived from the Citadel banking trojan. Delivered primarily via exploit kits and malspam emails.", "meta": { "date": "Discovered ~spring 2016", "refs": [ "https://heimdalsecurity.com/blog/security-alert-citadel-trojan-resurfaces-atmos-zeus-legacy/", "http://www.xylibox.com/2016/02/citadel-0011-atmos.html" ] }, "uuid": "ee021933-929d-4d6c-abca-5827cfb77289", "value": "Atmos" }, { "description": "Ice IX is a bot created using the source code of ZeuS 2.0.8.9. No major improvements compared to ZeuS 2.0.8.9.", "meta": { "date": "Discovered ~Fall 2011", "refs": [ "https://securelist.com/ice-ix-not-cool-at-all/29111/ " ] }, "related": [ { "dest-uuid": "44a1706e-f6dc-43ea-ac85-9a4f2407b9a3", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "1d4a5704-c6fb-4bbb-92b2-88dc67f86339", "value": "Ice IX" }, { "description": "Zeus in the mobile. Banking trojan developed for mobile devices such as Windows Mobile, Blackberry and Android.", "meta": { "date": "Discovered ~end of 2010", "refs": [ "https://securelist.com/zeus-in-the-mobile-for-android-10/29258/" ] }, "uuid": "3b1aff8f-647d-4709-aab0-6db1859c5f11", "value": "Zitmo" }, { "description": "Banking trojan based on Zeus V2. Murofet is a newer version of Licat found ~end of 2011", "meta": { "date": "Discovered in 2010", "refs": [ "https://johannesbader.ch/2015/09/three-variants-of-murofets-dga/", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_LICAT.A", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus%3aWin32%2fMurofet.A" ], "synonyms": [ "Murofet" ] }, "related": [ { "dest-uuid": "f7081626-130a-48d5-83a9-759b3ef198ec", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "0b097926-2e1a-4134-8ab9-4c16d0cca0fc", "value": "Licat" }, { "description": "Skynet is a Tor-powered trojan with DDoS, Bitcoin mining and Banking capabilities. Spread via USENET as per rapid7.", "meta": { "date": "Discovered end of 2012", "refs": [ "https://blog.rapid7.com/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit/" ] }, "uuid": "f20791e4-26a7-45e0-90e6-709553b223b2", "value": "Skynet" }, { "description": "According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.", "meta": { "date": "Discovered in September 2017", "refs": [ "https://www.bleepingcomputer.com/news/security/new-icedid-banking-trojan-discovered/", "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", "http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" ], "synonyms": [ "BokBot" ] }, "related": [ { "dest-uuid": "26f5afaf-0bd7-4741-91ab-917bdd837330", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "9d67069c-b778-486f-8158-53f5dcd05d08", "value": "IcedID" }, { "description": "GratefulPOS has the following functions\n1. Access arbitrary processes on the target POS system\n2. Scrape track 1 and 2 payment card data from the process(es)\n3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.", "meta": { "refs": [ "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season" ] }, "related": [ { "dest-uuid": "4cfe3f22-96b8-4d3d-a6cc-85835d9471e2", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "7d9362e5-e3cf-4640-88a2-3faf31952963", "value": "GratefulPOS" }, { "description": "A macOS banking trojan that that redirects an infected user's web traffic in order to extract banking credentials.", "meta": { "refs": [ "https://objective-see.com/blog/blog_0x25.html#Dok" ] }, "related": [ { "dest-uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "80acc956-d418-42e3-bddf-078695a01289", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "e159c4f8-3c22-49f9-a60a-16588a9c22b0", "value": "Dok" }, { "description": "Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware. The attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent “fileless” banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.", "meta": { "refs": [ "https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil/" ] }, "uuid": "bfff538a-89dd-4bed-9ac1-b4faee373724", "value": "downAndExec" }, { "description": "Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo) has been well-documented, so we will not discuss its post-infection behavior. However, the miner’s use of Windows Management Infrastructure is unusual among coin mining malware.\nThe speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as “hash power”. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.", "meta": { "refs": [ "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators" ], "synonyms": [ "Ismo", "lsmo" ] }, "related": [ { "dest-uuid": "26b91007-a8ae-4e32-bd99-292e44735c3d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "f93acc85-8d2c-41e0-b0c5-47795b8c6194", "value": "Smominru" }, { "description": "It's a Trojan that includes banking site web injections and stealer functions. It consists of a downloader component that downloads an encrypted file containing the main DLL. The DLL, in turn, connects using raw TCP connections to port 443 and downloads additional modules (i.e. VNCDLL.dll, StealerDLL.dll, ProxyDLL.dll)", "meta": { "refs": [ "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0", "https://www.bleepingcomputer.com/news/security/danabot-banking-malware-now-targeting-banks-in-the-us/" ] }, "related": [ { "dest-uuid": "4f7decd4-054b-4dd7-89cc-9bdb248f7c8a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "844417c6-a404-4c4e-8e93-84db596d725b", "value": "DanaBot" }, { "description": "The banker is distributed through malicious email spam campaigns. Instead of using complex process injection methods to monitor browsing activity, the malware hooks key Windows message loop events in order to inspect values of the window objects for banking activity. The payload is delivered as a modified version of a legitimate application that is partially overwritten by the malicious payload", "meta": { "refs": [ "https://www.cert.pl/news/single/analiza-zlosliwego-oprogramowania-backswap/", "https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/" ] }, "uuid": "ea0b5f45-6b56-4c92-b22b-0d84c45160a0", "value": "Backswap" }, { "meta": { "refs": [ "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Bebloh.A", "https://www.symantec.com/security-center/writeup/2011-041411-0912-99" ], "synonyms": [ "URLZone", "Shiotob" ] }, "related": [ { "dest-uuid": "ed9f995b-1b41-4b83-a978-d956670fdfbe", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "67a1a317-9f79-42bd-a4b2-fa1867d37d27", "value": "Bebloh" }, { "meta": { "refs": [ "https://www.johannesbader.ch/2015/02/the-dga-of-banjori/" ], "synonyms": [ "MultiBanker 2", "BankPatch", "BackPatcher" ] }, "related": [ { "dest-uuid": "137cde28-5c53-489b-ad0b-d0fa2e342324", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "f68555ff-6fbd-4f5a-bc23-34996f629c52", "value": "Banjori" }, { "meta": { "refs": [ "https://www.countercept.com/our-thinking/decrypting-qadars-banking-trojan-c2-traffic/" ] }, "related": [ { "dest-uuid": "080b2071-2d69-4b76-962e-3d0142074bcb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "a717c873-6670-447a-ba98-90db6464c07d", "value": "Qadars" }, { "meta": { "refs": [ "https://www.johannesbader.ch/2016/06/the-dga-of-sisron/" ] }, "uuid": "610a136c-820d-4f5f-b66c-ae298923dc55", "value": "Sisron" }, { "meta": { "refs": [ "https://www.johannesbader.ch/2016/06/the-dga-of-sisron/" ] }, "related": [ { "dest-uuid": "5d9a27e7-3110-470a-ac0d-2bf00cac7846", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "6720f960-0382-479b-a0f8-f9e008995af4", "value": "Ranbyus" }, { "meta": { "refs": [ "https://searchfinancialsecurity.techtarget.com/news/4500249201/Fobber-Drive-by-financial-malware-returns-with-new-tricks" ] }, "related": [ { "dest-uuid": "bb836040-c161-4932-8f89-bc2ca2e8c1c0", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "da124511-463c-4514-ad05-7ec8db1b38aa", "value": "Fobber" }, { "description": "Trojan under development and already being distributed through the RIG Exploit Kit. Observed code similarities with other well-known bankers such as Ramnit, Vawtrak and TrickBot. Karius works in a rather traditional fashion to other banking malware and consists of three components (injector32\\64.exe, proxy32\\64.dll and mod32\\64.dll), these components essentially work together to deploy webinjects in several browsers.", "meta": { "refs": [ "https://research.checkpoint.com/banking-trojans-development/" ] }, "related": [ { "dest-uuid": "8a01c3be-17b7-4e5a-b0b2-6c1f5ccb82cf", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "a088c428-d0bb-49c8-9ed7-dcced0c74754", "value": "Karius" }, { "description": "Kronos was a type of banking malware first reported in 2014. It was sold for $7000. As of September 2015, a renew version was reconnecting with infected bots and sending them a brand new configuration file against U.K. banks and one bank in India. Similar to Zeus it was focused on stealing banking login credentials from browser sessions. A new version of this malware appears to have been used in 2018, the main difference is that the 2018 edition uses Tor-hosted C&C control panels.", "meta": { "refs": [ "https://en.wikipedia.org/wiki/Kronos_(malware)", "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", "https://www.bleepingcomputer.com/news/security/new-version-of-the-kronos-banking-trojan-discovered/" ] }, "related": [ { "dest-uuid": "62a7c823-9af0-44ee-ac05-8765806d2a17", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "5b42af8e-8fdc-11e8-bf48-f32ff64d5502", "value": "Kronos" }, { "description": "A newly discovered banking Trojan departs from the regular tactics observed by malware researchers by choosing visible installation and by adding social engineering components.\nCamuBot appeared last month in Brazil targeting companies and organizations from the public sector. The victim is the one installing the malware, at the instructions of a human operator that pretends to be a bank employee.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/new-banking-trojan-poses-as-a-security-module/ " ] }, "related": [ { "dest-uuid": "ecac83ab-cd64-4def-979a-40aeeca0400b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "2fafe8b2-b0db-11e8-a81e-4b62ee50bd87", "value": "CamuBot" }, { "description": "Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.", "meta": { "refs": [ "https://thehackernews.com/2018/08/mexico-banking-malware.html" ] }, "uuid": "fa574138-a3bd-4ebc-a5f7-3b465df7106f", "value": "Dark Tequila" }, { "description": "Distributed by Malteiro", "meta": { "refs": [ "https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/" ], "synonyms": [ "URSA" ] }, "related": [ { "dest-uuid": "ba57c28a-47d0-46ba-a933-9aed69f7b84f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "delivered-by" } ], "uuid": "d27eea57-e55f-40b1-9690-55c2c8500876", "value": "Malteiro" } ], "version": 19 }