Tempering the threat of Trojans: SMEs can fight back against banking malware
5 min read
12 July 2016
There are numerous examples of banking Trojans from Dridex to Lurk, Kronos, Gootkit, Vawtrak, and Zeus and they continue to claim millions of victims despite the clear message to avoid opening suspicious files. So what can be done?
As organisations tighten defences, cyber criminals are aiming to exploit the weakest link by targeting employees via spear phishing attacks and malware.
Dridex specifically targets finance departments in small and medium-sized operations in a bid to capture log-in details and uses legitimate vectors, making it more difficult to detect.
It relies upon the victim opening a malicious word or excel document to instal the Trojan payload and specifically aims to capture banking log-in details and bides its time in the background on the PC, looking at internet activity and capturing log-in screenshots. It is reported to have hoovered up approximately $40m worldwide as of October 2015.
The security industry expected Dridex to, well, dry up, following the take-down of the Evil Corp botnet and arrest of chief instigator Andrey Ghinkul in 2015, but the malware persisted. All it needed was a new botnet and another criminal mastermind to see the Trojan re-emerge.
Browse the dark web and you’d be amazed at how easy and cheap it is to buy a botnet making the resurrection of the banking Trojan relatively simple. Sure enough, Dridex re-emerged a few months later on the Necurs botnet.
A behemoth in the world of botnets, Necurs controls 1.7 million computers via seven botnets. The peer-to-peer hybrid botnet uses rootkit infection, namely a kernel-mode driver that enables the attacker to control the infected system, alter its input and output, disable the antivirus software and perform actions as desired by the attacker.
As well as old school Trojans, Necurs is gaining notoriety as a disseminator of Locky ransomware which burst onto the scene in February. Locky clocked up three million hits in its first month.
In May, the Necurs botnet went dark but it is now back with a vengeance and a variant of Locky that works in more complex ways, utilising obfuscation techniques, and which is being delivered in higher volumes than previously seen with estimates suggesting between 80-100 million emails are being sent per day.
Read more on cyber security:
- Who takes accountability for the insider risk?
- The true cost of cyber crime and why SMEs are a target
- Email security – the biggest threat to your business in 2016?
Over the course of the last week, the Zepto ransomware has also emerged and is being closely monitored, although it’s not yet clear if this a variant of Locky or simply shares similar attributes.
Financial departments are particularly at risk and need to remain vigilant, and banks can assist by advising their business customers on what to look out for/how best to protect themselves.
The organisation should, for instance, ensure it has the latest anti-virus and anti-spam software installed, with security patches tested and implemented as a matter of urgency, IPS and IDS are configured correctly, up-to-date firewall policies, and data back-ups that are held securely should a breach occur.
Organisations can also protect themselves by utilising a SOC to track and detect threats as they happen or even introduce threat intelligence to pro-actively prevent cyber attacks from occurring.
Cyber insurance is also a good option and growing in popularity, however, it’s the end users that are the most important player and last line of defence for an organisation when it comes to protection against these types of threat.
Whether its Dridex or Locky ransomware, it’s the susceptibility of the end user that is key: neither attack can succeed without human assistance. In a vigilant culture where the employees can quickly and confidently identify spam emails and avoid clicking on an attachment or reviewing an unexpected invoice, these attacks cannot gain purchase.
Unfortunately, that message isn’t getting through, so it’s necessary to formally assess and educate staff. Organisations should regularly test awareness using an internal phishing campaign to determine the maturity and level of security awareness. Because sometimes the weakest link in the chain can also be the strongest – if tempered correctly.
Milton Kandias and Andrew Scullion are cyber security consultants at Auriga
These are the five ways your apps are putting you at risk.