installs a Trojan horse on a victim's computer that's capable of modifying that user's Web transactions as they occur in real time • Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program • Form grabbing is a form of malware that works by retrieving authorization and log-in credentials from a web data form before it is passed over the Internet to a secure server. This allows the malware to avoid HTTPS encryption ZUES • Trojan horse malware package that runs on versions of Microsoft Windows. • it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. • Zeus is spread mainly through drive-by downloads and phishing schemes. • First identified in July 2007 when it was used to steal information from the United States Department of Transportation, • it creates a botnet, which is a network of corrupted machines that are covertly controlled by a command and control server under the control of the malware's owner. A botnet allows the owner to collect massive amounts of information or execute large-scale attacks. • Zeus also acts as a financial services Trojan designed to steal banking credentials from the machines it infects. It accomplishes this through website monitoring and keylogging, the Trojan can get around the security in place on these websites, as the keystrokes required for logging in are recorded as the user enters them • The spam messages often come in the form of email, but there have been social media campaigns designed to spread the malware through messages and postings on social media sites. Once users click on a link in the email or message, they are directed to a website that automatically installs the malware.. • Drive-by downloads happen when the hackers are able to corrupt legitimate websites, inserting their malicious code into a website that the user trusts. The malware then installs itself when the user visits the website or when the user downloads and installs a benign program. • How to Protect Yourself • Prevention through safe Internet practices is always the first step in staying safe from the Zeus malware. This means avoiding potentially dangerous websites, like those offering illegal free software, adult material or illegal downloads, as the owners of these types of websites often have no problem allowing malware owners to host their software on the site. Being safe also means not clicking on links in email or social media messages unless you were expecting the message. Remember: Even if the message is from a trusted source, if that source is afflicted with Zeus, the message could still be corrupt. • Staying safe also means being safe when interacting with financial institutions while online. Two-factor authentication, where the website sends a confirmation code to a mobile device to confirm the login, is a must. Remember, though, that some offshoots from Zeus have also infected mobile devices, so using this kind of authentication shouldn't be seen as a cure-all. • A powerful, updated antivirus solution is a must. These kinds of solutions will not only help protect you from visiting unsafe websites where you might find the Trojan, but can detect the Trojan when it downloads, tries to install or tries to run. Additionally, these solutions can scan your system and remove the malware if it already exists on your machine. • While there are a number of antivirus solutions out there, including a number that offer a free trial period, it's important to choose one that's from a leader in the industry that updates their solutions constantly. The fact that the Zeus source code is public means that there will be no end to the damage that this malware can do, and every few years you can expect that new versions of the malware will arise. Only a security vendor that is constantly vigilant against new threats has what it takes to truly protect you from the Zeus Trojan in the future. NEVERQUEST • NeverQuest is a type of malicious software, or malware, known as a banking Trojan. • It can be introduced to victims’ computers through social media websites, phishing emails, or file transfers. Once installed on a victim’s computer, NeverQuest is able to identify when a victim attempted to log onto an online banking website and transfer the victim’s login credentials – including his or her username and password – back to a computer server used to administer the NeverQuest malware. • Once surreptitiously installed, NeverQuest enables its administrators remotely to control a victim’s computer and log into the victim’s online banking or other financial accounts, transfer money to other accounts, change login credentials, write online checks, and purchase goods from online vendors. • HACKER:RUSSIAN • MOST AFFECTED COUNTRY :GERMANY • Downloading and running executable files • Stealing cookie files • Stealing certificates from the operating system store • Getting the list of running processes • Clearing the browser cache folder and deleting cookie files • Removing copies of malware files • Starting and stopping a SOCKS proxy server • Starting and stopping a VNC remote access server • Downloading and running updates of the malware (with or without restarting the computer) • Running commands via ShellExecute() • Deleting Registry entries • Stealing passwords stored in FTP clients • Deleting information about copies of the malware from the Registry • Copying files (specified via pattern mask) from an infected computer • Viewing the user’s web history • Secretly recording video and sending recorded video to the cybercriminals’ server • Getting video files by their number • Deleting video files by their number GOZI • GOZI is a spyware that monitors network traffic. It also gets login credentials stored in browsers and mail applications. It has screen capture and keylogging functions. It uses a rootkit component to hide related processes, files and registry information • Gozi V3 is distributed via spam mails which link to a malicious file, such as an obfuscated Visual Basic script, which acts as a dropper component. The dropper component downloads and executes an executable with a valid digital signature. DRIDEX • Actors typically distribute Dridex malware through phishing e-mail spam campaigns. Phishing messages employ a combination of legitimate business names and domains, professional terminology, and language implying urgency to persuade victims to activate open attachments. Sender e-mail addresses can simulate individuals (name@domain.com), administrative (admin@domain.com, support@domain.com), or common “do not reply” local parts (noreply@domain.com). Subject and attachment titles can include typical terms such as “invoice”, “order”, “scan”, “receipt”, “debit note”, “itinerary”, and others. • Recent versions of Dridex exploit vulnerability CVE-2017-0199, which allows remote execution of code. This vulnerability is specific to Microsoft Office and WordPad. Microsoft released a patch in 2017 RAMNIT • The first Ramnit variants that emerged in 2010 were viruses that infected EXE, DLL and HTML files found on the computer. Later variants included the ability to steal confidential data from the infected machine. • At its peak in 2015, Ramnit was estimated to have infected 3,200,000 PCs [3]. Ramnit infects removable media such as USB drives and also hides itself within the master boot record.[4] [5] GOZNYM • The criminal network used GozNym malware in an attempt to steal an estimated $100 million from more than 41 000 victims, primarily businesses and their financial institutions • Spammers were employed to create and send hundreds of thousands of phishing emails. The emails, designed to look like legitimate business correspondence, encouraged the recipient to click on a malicious link or file attachment. Word.doc attachments with encrypted VBA macros are, surprisingly, still an effective technique. If the social engineering trick worked, the victim’s machine was redirected to a server that dropped the GozNym malware. • The purpose of the GozNym malware is to capture victims’ banking login credentials and deliver these to the gang, who would then use the captured credentials to fraudulently gain access to victims’ accounts. The stolen funds were then laundered through U.S and other foreign bank accounts controlled by the criminals. TINBA called Tinba, is a malware program that targets financial institution websites. man-in-the-browser attacks and network sniffing. Since its discovery, it has been found jor banking institutions in the United States, including TD Bank, Chase, HSBC, Wells F ed to steal users' sensitive data, such as account login information and banking codes ket sniffing, a method of reading network traffic, to determine when a user navigates unch one of two different actions, depending on the variation. In its most popular for causing a man-in-the-middle attack. The Trojan uses Form grabbing to grab keystrokes ba then sends the keystrokes to a Command & Control. This in turn causes a user's inf Tinba has used is to allow the user to log into the webpage. Once the user is in, the m act the company's logo and site formatting. It will then create a pop-up page informin sting additional information, such as social security numbers.[4] Most banking instituti or this information as a way to defend against these types of attacks. Tinba has been m gun asking users for the type of information asked as security questions, such as the u he attacker to use this information to reset the password at a later time.[5] to other system processes, in an attempt to convert the host machine into a zombie, maintain connection in the botnet, Tinba is coded with four domains, so if one goes do an can look for one of the others immediately.[6] GOOTKIT • The Gootkit Banking Trojan was discovered back in 2014, and utilizes the Node.JS library to perform a range of malicious tasks, from website injections and password grabbing, all the way up to video recording and remote VNC capabilities • Gootkit's main functions are focused on stealing data from browsers. It can extract and exfiltrate data such as browsing history, passwords, and cookie files, and supports extracting this information from multiple browser types, from Chrome to Internet Explorer. • Furthermore, Gootkit can also log what users enter inside web forms. • Was earlier used for banking frauds QADARS • Qadars is a sophisticated and dangerous trojan used for crimeware-related activities including banking fraud and credential theft. Qadars targets users through exploit kits and is installed using Powershell Scripts • Qadars targeting multiple well-known banks in UK and Canada and is capable of stealing infected users' two-factor authentication codes and banking credentials through the deployment of webinject RONVIX • Rovnix is considered a serious threat to the banking industry, • Threat actors used high-quality crafted Japanese-language emails that include ZIP files containing fake invoices, and the Rovnix, a crimeware kit very popular in the criminal underground. • The Zip files seemingly coming from .ru domains (Russia), when victims open an invoice it triggers the malware’s execution. The malicious code is able to inject JavaScript into the login form used by 14 Japanese banks. The code is used by attackers to launch a man-in-the-middle attack while users are trying to access their bank accounts, the scripts are also able to defeat two-factor authentication. • In some cases, the experts discovered the Rovnix providing instructions for the victims to download an Android app onto a mobile device. That malicious app contains the Rovnix component for SMS hijacking which listens for incoming SMS messages containing transaction authorization codes from the bank.