Banker
A list of banker malware.
Authors
Authors and/or Contributors |
---|
Unknown |
raw-data |
Zeus
Zeus is a trojan horse that is primarily delivered via drive-by-downloads, malvertising, exploit kits and malspam campaigns. It uses man-in-the-browser keystroke logging and form grabbing to steal information from victims. Source was leaked in 2011.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zeus.
Known Synonyms |
---|
Zbot |
Internal MISP references
UUID f0ec2df5-2e38-4df3-970d-525352006f2e
which can be used as unique global reference for Zeus
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | Initally discovered between 2006 and 2007. New bankers with Zeus roots still active today. |
Related clusters
To see the related clusters, click here.
Vawtrak
Delivered primarily by exploit kits as well as malspam campaigns utilizing macro based Microsoft Office documents as attachments. Vawtrak/Neverquest is a modularized banking trojan designed to steal credentials through harvesting, keylogging, Man-In-The-Browser, etc.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vawtrak.
Known Synonyms |
---|
Neverquest |
Internal MISP references
UUID f3813bbd-682c-400d-8165-778be6d3f91f
which can be used as unique global reference for Vawtrak
in MISP communities and other software using the MISP galaxy
External references
- https://www.kaspersky.com/blog/neverquest-trojan-built-to-steal-from-hundreds-of-banks/3247/ - webarchive
- https://www.fidelissecurity.com/threatgeek/2016/05/vawtrak-trojan-bank-it-evolving - webarchive
- https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows - webarchive
- https://www.botconf.eu/wp-content/uploads/2016/11/2016-Vawtrak-technical-report.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | Discovered early 2013 |
Related clusters
To see the related clusters, click here.
Dridex
Dridex leverages redirection attacks designed to send victims to malicious replicas of the banking sites they think they're visiting.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dridex.
Known Synonyms |
---|
Cridex |
Feodo Version D |
Internal MISP references
UUID 44754726-e1d5-4e5f-a113-234c4a8ca65e
which can be used as unique global reference for Dridex
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | Discovery in 2014, still active |
Related clusters
To see the related clusters, click here.
Gozi
Banking trojan delivered primarily via email (typically malspam) and exploit kits. Gozi 1.0 source leaked in 2010
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gozi.
Known Synonyms |
---|
CRM |
Papras |
Snifula |
Ursnif |
Internal MISP references
UUID b9448d2a-a23c-4bf2-92a1-d860716ba2f3
which can be used as unique global reference for Gozi
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | First seen ~ 2007 |
Related clusters
To see the related clusters, click here.
Goziv2
Banking trojan attributed to Project Blitzkrieg targeting U.S. Financial institutions.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Goziv2.
Known Synonyms |
---|
Prinimalka |
Internal MISP references
UUID 71ad2c86-b9da-4351-acf9-7005f64062c7
which can be used as unique global reference for Goziv2
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | Fall Oct. 2012 - Spring 2013 |
Gozi ISFB
Banking trojan based on Gozi source. Features include web injects for the victims’ browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.
Internal MISP references
UUID ffbbbc14-1cdb-4be9-a631-ed53c5407369
which can be used as unique global reference for Gozi ISFB
in MISP communities and other software using the MISP galaxy
External references
- https://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature - webarchive
- https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/ - webarchive
- https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak - webarchive
- https://lokalhost.pl/gozi_tree.txt - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | Beginning 2010 |
Related clusters
To see the related clusters, click here.
Dreambot
Dreambot is a variant of Gozi ISFB that is spread via numerous exploit kits as well as through malspam email attachments and links.
Internal MISP references
UUID 549d1f8c-f76d-4d66-a1a2-2cd048d739ea
which can be used as unique global reference for Dreambot
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | Since 2014 |
IAP
Gozi ISFB variant
Internal MISP references
UUID 0f96a666-bf26-44e0-8ad6-f2136208c924
which can be used as unique global reference for IAP
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | Seen Autumn 2014 |
Related clusters
To see the related clusters, click here.
GozNym
GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers.
Internal MISP references
UUID bcefac9a-a928-490f-9cb6-a8863f40c949
which can be used as unique global reference for GozNym
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | Spring 2016 |
Zloader Zeus
Zloader is a loader that loads different payloads, one of which is a Zeus module. Delivered via exploit kits and malspam emails.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zloader Zeus.
Known Synonyms |
---|
Zeus Terdot |
Internal MISP references
UUID 2eb658ed-aff4-4253-a21f-9059b133ce17
which can be used as unique global reference for Zloader Zeus
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | First seen in Fall 2016 and still active today. |
Related clusters
To see the related clusters, click here.
Zeus VM
Zeus variant that utilizes steganography in image files to retrieve configuration file.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zeus VM.
Known Synonyms |
---|
VM Zeus |
Internal MISP references
UUID 09d1cad8-6b06-48d7-a968-5b17bbe9ca65
which can be used as unique global reference for Zeus VM
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | First seen ~Feb 2014 |
Related clusters
To see the related clusters, click here.
Zeus Sphinx
Sphinx is a modular banking trojan that is a commercial offering sold to cybercriminals via underground fraudster boards.
Internal MISP references
UUID 8914802c-3aca-4a0d-874a-85ac7a1bc505
which can be used as unique global reference for Zeus Sphinx
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | First seen ~Aug 2015 |
Related clusters
To see the related clusters, click here.
Panda Banker
Zeus like banking trojan that is delivered primarily through malspam emails and exploit kits.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Panda Banker.
Known Synonyms |
---|
Zeus Panda |
Internal MISP references
UUID f1971442-6477-4aa2-aafa-7529b8252455
which can be used as unique global reference for Panda Banker
in MISP communities and other software using the MISP galaxy
External references
- https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market - webarchive
- https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf - webarchive
- https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | First seen ~ Spring 2016 |
Zeus KINS
Zeus KINS is a modified version of ZeuS 2.0.8.9. It contains an encrypted version of it's config in the registry.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zeus KINS.
Known Synonyms |
---|
Kasper Internet Non-Security |
Maple |
Internal MISP references
UUID bc0be3a4-89d8-4c4c-b2aa-2dddbed1f71d
which can be used as unique global reference for Zeus KINS
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | First seen 2014 |
Related clusters
To see the related clusters, click here.
Chthonic
Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chthonic.
Known Synonyms |
---|
Chtonic |
Internal MISP references
UUID 6deb9f26-969b-45aa-9222-c23663fd6ef8
which can be used as unique global reference for Chthonic
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | First seen fall of 2014 |
Related clusters
To see the related clusters, click here.
Trickbot
Trickbot is a bot that is delivered via exploit kits and malspam campaigns. The bot is capable of downloading modules, including a banker module. Trickbot also shares roots with the Dyre banking trojan
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Trickbot.
Known Synonyms |
---|
Trickloader |
Trickster |
Internal MISP references
UUID 07e3260b-d80c-4c86-bd28-8adc111bbec6
which can be used as unique global reference for Trickbot
in MISP communities and other software using the MISP galaxy
External references
- https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/ - webarchive
- https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/ - webarchive
- http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html - webarchive
- https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/ - webarchive
- https://www.bleepingcomputer.com/news/security/trickbot-banking-trojan-starts-stealing-windows-problem-history/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | Discovered Fall 2016 |
Related clusters
To see the related clusters, click here.
Dyre
Dyre is a banking trojan distributed via exploit kits and malspam emails primarily. It has a modular architectur and utilizes man-in-the-browser functionality. It also leverages a backconnect server that allows threat actors to connect to a bank website through the victim's computer.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dyre.
Known Synonyms |
---|
Dyreza |
Internal MISP references
UUID 15e969e6-f031-4441-a49b-f401332e4b00
which can be used as unique global reference for Dyre
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | Discovered ~June 2014 |
Related clusters
To see the related clusters, click here.
Tinba
Tinba is a very small banking trojan that hooks into browsers and steals login data and sniffs on network traffic. It also uses Man in The Browser (MiTB) and webinjects. Tinba is primarily delivered via exploit kits, malvertising and malspam email campaigns.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tinba.
Known Synonyms |
---|
TinyBanker |
Zusy |
illi |
Internal MISP references
UUID 5594b171-32ec-4145-b712-e7701effffdd
which can be used as unique global reference for Tinba
in MISP communities and other software using the MISP galaxy
External references
- https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/ - webarchive
- http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/ - webarchive
- https://blog.avast.com/2014/09/15/tiny-banker-trojan-targets-customers-of-major-banks-worldwide/ - webarchive
- http://my.infotex.com/tiny-banker-trojan/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | Discovered ~Spring 2012 |
Related clusters
To see the related clusters, click here.
Geodo
Geodo is a banking trojan delivered primarily through malspam emails. It is capable of sniffing network activity to steal information by hooking certain network API calls.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Geodo.
Known Synonyms |
---|
Emotet |
Feodo Version C |
Internal MISP references
UUID 8e002f78-7fb8-4e70-afd7-0b4ac655be26
which can be used as unique global reference for Geodo
in MISP communities and other software using the MISP galaxy
External references
- https://feodotracker.abuse.ch/ - webarchive
- http://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/ - webarchive
- https://www.bleepingcomputer.com/news/security/emotet-banking-trojan-loves-usa-internet-providers/ - webarchive
- https://www.bleepingcomputer.com/news/security/emotet-returns-with-thanksgiving-theme-and-better-phishing-tricks/ - webarchive
- https://www.forcepoint.com/blog/security-labs/thanks-giving-emotet - webarchive
- https://cofense.com/major-us-financial-institutions-imitated-advanced-geodo-emotet-phishing-lures-appear-authentic-containing-proofpoint-url-wrapped-links/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | Discovered ~Summer 2014 |
Related clusters
To see the related clusters, click here.
Feodo
Feodo is a banking trojan that utilizes web injects and is also capable of monitoring & manipulating cookies. Version A = Port 8080, Version B = Port 80 It is delivered primarily via exploit kits and malspam emails.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Feodo.
Known Synonyms |
---|
Bugat |
Cridex |
Internal MISP references
UUID 7ca93488-c357-44c3-b246-3f88391aca5a
which can be used as unique global reference for Feodo
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | Discovered ~September 2011 |
Related clusters
To see the related clusters, click here.
Ramnit
Originally not a banking trojan in 2010, Ramnit became a banking trojan after the Zeus source code leak. It is capable of perforrming Man-in-the-Browser attacks. Distributed primarily via exploit kits.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ramnit.
Known Synonyms |
---|
Nimnul |
Internal MISP references
UUID 7e2288ec-e7d4-4833-9245-a2bc5ae40ee2
which can be used as unique global reference for Ramnit
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | Discovered ~2010. |
Related clusters
To see the related clusters, click here.
Qakbot
Qakbot is a banking trojan that leverages webinjects to steal banking information from victims. It also utilizes DGA for command and control. It is primarily delivered via exploit kits.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Qakbot.
Known Synonyms |
---|
Akbot |
Pinkslipbot |
Qbot |
Internal MISP references
UUID b2ec1f16-2a76-4910-adc5-ecb3570e7c1a
which can be used as unique global reference for Qakbot
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | Discovered ~2007 |
Related clusters
To see the related clusters, click here.
Corebot
Corebot is a modular trojan that leverages a banking module that can perform browser hooking, form grabbing, MitM, webinjection to steal financial information from victims. Distributed primarily via malspam emails and exploit kits.
Internal MISP references
UUID 8a3d46db-d3b4-4f89-99e2-d1f0de3f484c
which can be used as unique global reference for Corebot
in MISP communities and other software using the MISP galaxy
External references
- https://securityintelligence.com/an-overnight-sensation-corebot-returns-as-a-full-fledged-financial-malware/ - webarchive
- https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf - webarchive
- https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | Discovered ~Fall 2015 |
Related clusters
To see the related clusters, click here.
TinyNuke
TinyNuke is a modular banking trojan that includes a HiddenDesktop/VNC server and reverse SOCKS 4 server. It's main functionality is to make web injections into specific pages to steal user data. Distributed primarily via malspam emails and exploit kits.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TinyNuke.
Known Synonyms |
---|
MicroBankingTrojan |
Nuclear Bot |
NukeBot |
Xbot |
Internal MISP references
UUID e683cd91-40b4-4e1c-be25-34a27610a22e
which can be used as unique global reference for TinyNuke
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/ - webarchive
- https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/ - webarchive
- https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/ - webarchive
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596 - webarchive
- https://benkowlab.blogspot.ca/2017/08/quick-look-at-another-alina-fork-xbot.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | Discovered ~December 2016 |
Related clusters
To see the related clusters, click here.
Retefe
Retefe is a banking trojan that is distributed by what SWITCH CERT calls the Retefe gang or Operation Emmental. It uses geolocation based targeting. It also leverages fake root certificate and changes the DNS server for domain name resolution in order to display fake banking websites to victims. It is spread primarily through malspam emails.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Retefe.
Known Synonyms |
---|
Tsukuba |
Werdlod |
Internal MISP references
UUID 87b69cb4-8b65-47ee-91b0-9b1decdd5c5c
which can be used as unique global reference for Retefe
in MISP communities and other software using the MISP galaxy
External references
- https://www.govcert.admin.ch/blog/33/the-retefe-saga - webarchive
- https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/ - webarchive
- https://countuponsecurity.com/2016/02/29/retefe-banking-trojan/ - webarchive
- https://securityblog.switch.ch/2014/11/05/retefe-with-a-new-twist/ - webarchive
- http://securityintelligence.com/tsukuba-banking-trojan-phishing-in-japanese-waters/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | Discovered in 2014 |
Related clusters
To see the related clusters, click here.
ReactorBot
ReactorBot is sometimes mistakenly tagged as Rovnix. ReactorBot is a full fledged modular bot that includes a banking module that has roots with the Carberp banking trojan. Distributed primarily via malspam emails.
Internal MISP references
UUID d939e802-acb2-4881-bdaf-ece1eccf5699
which can be used as unique global reference for ReactorBot
in MISP communities and other software using the MISP galaxy
External references
- http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html - webarchive
- https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under - webarchive
- http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html - webarchive
- http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | Discovered ~early 2015 |
Related clusters
To see the related clusters, click here.
Matrix Banker
Matrix Banker is named accordingly because of the Matrix reference in it's C2 panel. Distributed primarily via malspam emails.
Internal MISP references
UUID aa3fc68c-413c-4bfb-b4cd-bca7094da985
which can be used as unique global reference for Matrix Banker
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | Discovered ~Spring 2017 |
Related clusters
To see the related clusters, click here.
Zeus Gameover
Zeus Gameover captures banking credentials from infected computers, then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the criminals. GameOver has a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin. Distributed primarily via malspam emails and exploit kits.
Internal MISP references
UUID 8653a94e-3eb3-4d88-8683-a1ae4a524774
which can be used as unique global reference for Zeus Gameover
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | Discovered ~Sept. 2011 |
SpyEye
SpyEye is a similar to the Zeus botnet banking trojan. It utilizes a web control panel for C2 and can perform form grabbing, autofill credit card modules, ftp grabber, pop3 grabber and HTTP basic access authorization grabber. It also contained a Kill Zeus feature which would remove any Zeus infections if SpyEye was on the system. Distributed primarily via exploit kits and malspam emails.
Internal MISP references
UUID ebce18e9-b387-4b7d-bab9-4acd4fca7a7c
which can be used as unique global reference for SpyEye
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | Discovered early 2011 |
Citadel
Citadel is an offspring of the Zeus banking trojan. Delivered primarily via exploit kits.
Internal MISP references
UUID 9eb89081-3245-423a-995f-c1d78ce39619
which can be used as unique global reference for Citadel
in MISP communities and other software using the MISP galaxy
External references
- https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/ - webarchive
- https://krebsonsecurity.com/tag/citadel-trojan/ - webarchive
- https://securityintelligence.com/cybercriminals-use-citadel-compromise-password-management-authentication-solutions/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | Discovered ~January 2012 |
Related clusters
To see the related clusters, click here.
Atmos
Atmos is derived from the Citadel banking trojan. Delivered primarily via exploit kits and malspam emails.
Internal MISP references
UUID ee021933-929d-4d6c-abca-5827cfb77289
which can be used as unique global reference for Atmos
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | Discovered ~spring 2016 |
Ice IX
Ice IX is a bot created using the source code of ZeuS 2.0.8.9. No major improvements compared to ZeuS 2.0.8.9.
Internal MISP references
UUID 1d4a5704-c6fb-4bbb-92b2-88dc67f86339
which can be used as unique global reference for Ice IX
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/ice-ix-not-cool-at-all/29111/
Associated metadata
Metadata key | Value |
---|---|
date | Discovered ~Fall 2011 |
Related clusters
To see the related clusters, click here.
Zitmo
Zeus in the mobile. Banking trojan developed for mobile devices such as Windows Mobile, Blackberry and Android.
Internal MISP references
UUID 3b1aff8f-647d-4709-aab0-6db1859c5f11
which can be used as unique global reference for Zitmo
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | Discovered ~end of 2010 |
Licat
Banking trojan based on Zeus V2. Murofet is a newer version of Licat found ~end of 2011
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Licat.
Known Synonyms |
---|
Murofet |
Internal MISP references
UUID 0b097926-2e1a-4134-8ab9-4c16d0cca0fc
which can be used as unique global reference for Licat
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | Discovered in 2010 |
Related clusters
To see the related clusters, click here.
Skynet
Skynet is a Tor-powered trojan with DDoS, Bitcoin mining and Banking capabilities. Spread via USENET as per rapid7.
Internal MISP references
UUID f20791e4-26a7-45e0-90e6-709553b223b2
which can be used as unique global reference for Skynet
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
date | Discovered end of 2012 |
IcedID
According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IcedID.
Known Synonyms |
---|
BokBot |
Internal MISP references
UUID 9d67069c-b778-486f-8158-53f5dcd05d08
which can be used as unique global reference for IcedID
in MISP communities and other software using the MISP galaxy
External references
- https://www.bleepingcomputer.com/news/security/new-icedid-banking-trojan-discovered/ - webarchive
- https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/ - webarchive
- http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html - webarchive
- https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
date | Discovered in September 2017 |
Related clusters
To see the related clusters, click here.
GratefulPOS
GratefulPOS has the following functions 1. Access arbitrary processes on the target POS system 2. Scrape track 1 and 2 payment card data from the process(es) 3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.
Internal MISP references
UUID 7d9362e5-e3cf-4640-88a2-3faf31952963
which can be used as unique global reference for GratefulPOS
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Dok
A macOS banking trojan that that redirects an infected user's web traffic in order to extract banking credentials.
Internal MISP references
UUID e159c4f8-3c22-49f9-a60a-16588a9c22b0
which can be used as unique global reference for Dok
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
downAndExec
Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware. The attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent “fileless” banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.
Internal MISP references
UUID bfff538a-89dd-4bed-9ac1-b4faee373724
which can be used as unique global reference for downAndExec
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Smominru
Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo) has been well-documented, so we will not discuss its post-infection behavior. However, the miner’s use of Windows Management Infrastructure is unusual among coin mining malware. The speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as “hash power”. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Smominru.
Known Synonyms |
---|
Ismo |
lsmo |
Internal MISP references
UUID f93acc85-8d2c-41e0-b0c5-47795b8c6194
which can be used as unique global reference for Smominru
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
DanaBot
It's a Trojan that includes banking site web injections and stealer functions. It consists of a downloader component that downloads an encrypted file containing the main DLL. The DLL, in turn, connects using raw TCP connections to port 443 and downloads additional modules (i.e. VNCDLL.dll, StealerDLL.dll, ProxyDLL.dll)
Internal MISP references
UUID 844417c6-a404-4c4e-8e93-84db596d725b
which can be used as unique global reference for DanaBot
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Backswap
The banker is distributed through malicious email spam campaigns. Instead of using complex process injection methods to monitor browsing activity, the malware hooks key Windows message loop events in order to inspect values of the window objects for banking activity. The payload is delivered as a modified version of a legitimate application that is partially overwritten by the malicious payload
Internal MISP references
UUID ea0b5f45-6b56-4c92-b22b-0d84c45160a0
which can be used as unique global reference for Backswap
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Bebloh
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bebloh.
Known Synonyms |
---|
Shiotob |
URLZone |
Internal MISP references
UUID 67a1a317-9f79-42bd-a4b2-fa1867d37d27
which can be used as unique global reference for Bebloh
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Banjori
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Banjori.
Known Synonyms |
---|
BackPatcher |
BankPatch |
MultiBanker 2 |
Internal MISP references
UUID f68555ff-6fbd-4f5a-bc23-34996f629c52
which can be used as unique global reference for Banjori
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Qadars
Internal MISP references
UUID a717c873-6670-447a-ba98-90db6464c07d
which can be used as unique global reference for Qadars
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Sisron
Internal MISP references
UUID 610a136c-820d-4f5f-b66c-ae298923dc55
which can be used as unique global reference for Sisron
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Ranbyus
Internal MISP references
UUID 6720f960-0382-479b-a0f8-f9e008995af4
which can be used as unique global reference for Ranbyus
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Fobber
Internal MISP references
UUID da124511-463c-4514-ad05-7ec8db1b38aa
which can be used as unique global reference for Fobber
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Karius
Trojan under development and already being distributed through the RIG Exploit Kit. Observed code similarities with other well-known bankers such as Ramnit, Vawtrak and TrickBot. Karius works in a rather traditional fashion to other banking malware and consists of three components (injector32\64.exe, proxy32\64.dll and mod32\64.dll), these components essentially work together to deploy webinjects in several browsers.
Internal MISP references
UUID a088c428-d0bb-49c8-9ed7-dcced0c74754
which can be used as unique global reference for Karius
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Kronos
Kronos was a type of banking malware first reported in 2014. It was sold for $7000. As of September 2015, a renew version was reconnecting with infected bots and sending them a brand new configuration file against U.K. banks and one bank in India. Similar to Zeus it was focused on stealing banking login credentials from browser sessions. A new version of this malware appears to have been used in 2018, the main difference is that the 2018 edition uses Tor-hosted C&C control panels.
Internal MISP references
UUID 5b42af8e-8fdc-11e8-bf48-f32ff64d5502
which can be used as unique global reference for Kronos
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
CamuBot
A newly discovered banking Trojan departs from the regular tactics observed by malware researchers by choosing visible installation and by adding social engineering components. CamuBot appeared last month in Brazil targeting companies and organizations from the public sector. The victim is the one installing the malware, at the instructions of a human operator that pretends to be a bank employee.
Internal MISP references
UUID 2fafe8b2-b0db-11e8-a81e-4b62ee50bd87
which can be used as unique global reference for CamuBot
in MISP communities and other software using the MISP galaxy
External references
- https://www.bleepingcomputer.com/news/security/new-banking-trojan-poses-as-a-security-module/
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Dark Tequila
Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.
Internal MISP references
UUID fa574138-a3bd-4ebc-a5f7-3b465df7106f
which can be used as unique global reference for Dark Tequila
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Malteiro
Distributed by Malteiro
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Malteiro.
Known Synonyms |
---|
URSA |
Internal MISP references
UUID d27eea57-e55f-40b1-9690-55c2c8500876
which can be used as unique global reference for Malteiro
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.