IBM warns over proliferating use of banking Trojans in enterprise attacks

Trojan malware features and functions being expanded to attack more targets

Banking Trojans are increasingly being used to launch cyber attacks on organisations because of the proliferation of such malware on PCs around the world.

That is the warning of Dana Tamir, the director of enterprise security at IBM Trusteer. It follows the warning from Salesforce.com about the Dyre Trojan, which is being used to target large users of Salesforce in the financial services industry.

"The use of the Dyre Trojan to target enterprise customers of Salesforce.com is part of an emerging trend that has been rapidly growing over the last few years. So-called 'banking Trojans' are no longer used only for targeting customers of large financial organisations - they are now increasingly used for targeting enterprises," claims Tamir.

Approximately one in 500 PCs around the world is infected by banking malware. Using these networks of compromised PCs means that professional cyber criminals do not need to run "spear-phishing" campaigns in order to acquire login credentials for organisations that they are targeting.

Instead, they can simply re-purpose their malware remotely.

"Another known banking Trojan, Citadel ... was used to target several petrochemical companies in the Middle East. The Citadel Trojan was instructed to wait until the user accesses any of the internet-facing systems of the targeted organisations, such as webmail, and grab all the information submitted by the user. This information would most likely include the user's credentials, which would provide the attack with access to these systems," writes Tamir.

In the past, banking Trojans like Zeus, Citadel, Shylock and now Dyre were specifically designed to steal banking credentials and to enable cyber criminals to commit financial fraud. They mainly used techniques such as man-in-the-browser attacks or keylogging to grab users' financial and personal information and enable fraudulent activities, according to Tamir.

However, the features and functions of Trojan malware have been vastly expanded over the years so that they can be used to steal more than just credentials, and attackers are using mass-distribution techniques to propagate their malware as widely as possible.

"They use mass-distribution techniques to infect as many PCs as possible. These malware distribution campaigns can use malicious email attachments, drive-by downloads, watering hole attacks and social-engineering schemes to infect millions of PC around the world. The use of massively distributed malware allows cyber criminals to take advantage of millions of machines already infected with the Trojans," says Tamir.

She continues: "In order to point these Trojans at new targets - in this case, enterprise organisations - the cyber criminal only needs to provide these Trojans with a new configuration file.

"The configuration file received from a command-and-control server contains information about the targets as well as other operational details.

"The configuration file can also contain information about a new command-and-control server the Trojan should start working with. This enables cyber criminals to repurpose existing Trojans on user machines as needed."