A short history of the financial Trojan

Dick O'Brien
Threat Intel
Published in
6 min readApr 6, 2017


Threat Intel’s ‘History of…’ series will look at the origins and evolution of notable developments in cybersecurity.

Once banking moved online, it was inevitable cybercriminals would follow

Once banks began putting their services online in the late 1990s, it was only going to be a matter of time before cybercriminals began trying to steal from them. However, with banks employing robust security, gangs quickly realized that attacking the banks themselves would be tough. Stealing customers’ credentials was a more feasible avenue of attack, and so the first financial Trojans were born.

Every financial Trojan since then has followed the basic template of hiding on the victim’s computer and either attempting to steal their credentials when they log in to online banking services or hijacking online banking sessions to carry out unauthorized transactions.

Technical advances

Early variants relied on tactics such as logging keystrokes or redirecting victims to fake banking websites. Over time, the tactics used have become a lot more sophisticated. One of the biggest advances was the advent of man-in-the-browser (MITB) attacks, where the Trojan manipulates the victim’s web browser and changes what is displayed on a website.

One of the first Trojans to pioneer this technique was Zeus, which appeared in 2007. Zeus could be configured to attack virtually any online banking session by injecting additional HTML known as “web injects” into the web pages open on the browser, allowing the Trojan to alter or replace content and/or display additional fields. This allowed the attackers to steal credentials when they were input on the web page or to create requests for additional credentials not requested by the bank, such as PIN codes.

Zeus proved to be a serious money spinner and its creators were able to sell it on underground marketplaces for thousands of dollars. Buyers could then configure it with web injects they either wrote themselves or bought from other malware developers to target customers of specific banks.

Not surprisingly, Zeus soon spawned copycats. In 2009, another Trojan known as SpyEye appeared, which was capable of doing much of what Zeus could do, but undercut it by selling for US$700. The template for the modern financial Trojan had been created and, for a brief period of time, the cybercriminals behind these two threats dominated the marketplace.

Shifting sands

The source code for the Zeus Trojan was leaked in 2011

One thing that has characterized financial Trojans is that the sector has been in a near constant state of flux, with leaks and law enforcement actions regularly altering its dynamic. In 2011, the source code for Zeus was leaked. Overnight, a once tightly-controlled piece of malware was now freely available to anyone. The leak led to the creation of a host of clones based on the Zeus source code, such as Citadel and Gameover Zeus. Shortly afterwards, a similar thing happened to SpyEye, when its builder protector was cracked and source code released.

Source code leaks are not unusual on the cyberunderground. In some cases, malware authors themselves are believed to be behind the leaks. If this occurs, it usually appears to be prompted by fear of a law enforcement investigation. By releasing the source code, authors can “muddy the waters” by putting their tools into the hands of multiple groups.

Despite the public perception that financial Trojan gangs can remain anonymous, police forces have had some success in recent years in dismantling operations and arresting key players. In 2014, the Gameover Zeus gang was hit by a coordinated swoop, involving the FBI, the UK’s National Crime Agency, and several other police forces, which saw a large amount of its infrastructure seized. Although no arrests were made, activity surrounding the malware dropped off considerably in the aftermath of the raids.

Another Trojan to suffer a similar fate was Shylock. The gang behind Shylock was estimated to have stolen millions of dollars over a three-year period, but a law enforcement takedown in 2014 led by the UK National Crime Agency saw much of the gang’s infrastructure seized. Shylock activity tailed off following the operation, suggesting it was dealt a serious blow.

Filling the void

Law enforcement takedowns have had a big impact on the financial Trojan landscape

All of this upheaval created a vacuum that new threats emerged to fill. One of the most prominent of this new generation was Dyre, a Trojan that first emerged in mid-2014 and, for much of 2015, was the main financial menace circulating online.

Honing the business model created by Zeus, Dyre was the next generation of financial threat, configured to defraud the customers of more than 1,000 banks and other companies worldwide. Email was the preferred method of infection, and Dyre was spread via spam emails masquerading as business documents, voicemails, or fax messages.

Once installed, the Dyre Trojan could perform MITB attacks on all the main Windows web browsers (Internet Explorer, Chrome, and Firefox). It employed two different types of MITB attacks. If the victim visited one of the web pages listed in its configuration files, they would be redirected to a malicious server hosting a fake version of the page, which would be used to harvest their credentials.

If the victim visited a banking page not listed in the configuration, Dyre was capable of creating a web inject on-the-fly through the neat trick of sending a compressed version of the web page back to the gang’s servers, which would then repackage it with malicious code added to it and send it back to the victim’s browser, allowing Dyre to steal inputted credentials.

However, Dyre’s dominance lasted barely eighteen months. The Trojan suddenly disappeared from circulation in November 2015 following a Russian law enforcement operation against the gang. Unfortunately, an even more virulent Trojan emerged to take its place: Dridex.

Scaling up

A variant of an older Trojan known as Cridex, Dridex is technically quite similar to many of its predecessors. What has made it especially dangerous is that the gang controlling it has brought distribution to a new scale. The Dridex group has the resources to contract major spamming botnets to run massive spam campaigns distributing the malware. When Symantec took a close look at Dridex last year, we found that we were blocking an average of more than 250,000 Dridex emails a day, meaning it was likely millions were being sent daily. Although Dridex was configured to attack fewer banks than Dyre, the sheer volume of emails being sent made it a significant threat.

While Dridex continues to dominate the financial threats landscape, it is operating in an increasingly crowded marketplace. Mass mailing botnets, which presumably sell their services to the highest bidder, have in the past year been increasingly working for ransomware groups. While Dridex hasn’t disappeared, other threats such as the ransomware known as Locky have accounted for an increasing proportion of malicious emails.

A new generation of attackers, such as Carbanak and Odinaff, have also moved up the cybercrime value chain and begun attacking banks themselves rather than their customers, and the prospect of big money heists is likely to lead other groups to try their luck.

For the ordinary banking customers, though, financial Trojans continue to pose a serious threat. Most modern financial Trojans are capable of quietly inserting themselves into online banking sessions and stealing the victim’s credentials, potentially allowing attackers to drain their accounts at a later date.

Don’t become a victim

If you don’t want to be one of the unlucky ones, a few simple precautions will greatly reduce the risk:

· Always keep your security software up to date to protect yourself against any new variants of malware.

· Keep your operating system and other software updated. Software updates will frequently include patches for newly-discovered security vulnerabilities that could be exploited by attackers.

· Exercise caution when conducting online banking sessions, in particular if the behavior or appearance of your bank’s website changes.

· Delete any suspicious-looking emails you receive, especially if they contain links or attachments.

· Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.

· If you suspect an infection, immediately change your online banking account passwords using an uninfected system and contact your bank to alert them to look for any potentially fraudulent transactions.

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.



Dick O'Brien
Threat Intel

Comms guy at Symantec Security Response. Racing cyclist. Keen on tech, politics, books, fitness and nutrition.