Banking Trojans - Hands up! Manos Arriba! Give me your Money!

If you are ever unfortunate enough to be on the receiving end of any of those three demands, the choices you make in the next few moments will determine what happens to you and your money. Whatever choice you make, you will be keenly aware of the outcome.

Make no mistake. A Banking Trojan used against you accomplishes the same result with one major difference. You don’t know you’ve lost anything until the next time you check your balance on your bank account.

Banking Trojans have been around for years, but one in particular, The Trickbot Bank Trojan released in the Summer of 2016, has recently become much more dangerous with the addition of a combination of features known as redirection, a form of what is referred to as “Man in the Browser” or (MITB) attacks and Code or Web Injection to inject malicious code into web browsers such as IE, Chrome, Firefox, etc. Limor Kessem, an IBM Executive Security Advisor and Cyber Intelligence expert writes in a recent blog that Trickbot implements two of the “most advanced browser manipulation techniques observed in banking malware in the past few years.”

Trickbot now accounts for about 4% of all attacks globally. The Trojan is commonly delivered to bots that are members of the Necurs Botnet, one of the largest collection of Bots in the world. The Bot’s developers continuously work together with other distributors of malware to improve their product and have just recently, started attacking US Banks and users who transact with them online. The proverbial “gun in your back” comes when you conduct an online transaction through a browser on an infected machine to a compromised bank or payment processor such as PayPal.

MITB Attacks are not new and are common in Phishing attacks. In fact we train our users and customers to “hover” over any URL before clicking to confirm the target. Trickbot, however, is different in that the target shown will match the URL that you intended to see. The redirection in this case, is customized and supplemented with maliciously injected code as it redirects you to the fake site that looks exactly like the target of your original banking transaction while at the same time maintaining a connection to the genuine site.

You will unknowingly enter your credentials, even answering any security questions the bank may ask you, finish your transaction, logout and be on your way. Some people have even compared this to theft by skimmers at a gas station. You and the bank are unaware anything has happened. The result is the same. Your credentials are stolen for later use by a thief.

How does Trickbot get in to your network? It is usually brought in by users through email in one of two ways; It can come in as a spam email containing a zipped Windows Script File attachment disguised in endless configurations that you absent-mindedly click on or it can come in through a document attached to an email that claims to have been created in an earlier version of Word and asks you to both click on “Enable Editing” and then to “Enable Content”. These actions of course do neither and the Trickbot is downloaded.

Once a machine is infected, the code is smart enough to tie into legitimate Windows APIs, self-authenticate, create a service task for persistence in your scheduler, self-modify, extract code dynamically and to use encryption to mask instructions received from its C2 servers to avoid detection.

So what tools can protect you?

Use deterrent, preventive, and reactive countermeasures in a layered defense such as:

  • Conduct a comprehensive risk and technical infrastructure assessment
  • Re-visit the design or re-design your network architecture
  • Utilize DNS and IP layer, intelligent proxy and C2 blocking tools
  • Employ Multi-Factor Authentication solutions
  • Conduct Security Awareness and Anti-Phishing Training for you and your staff
  • Consider use of APT Advanced Sensors to protect your network
  • Utilize email anti-spam filtering and set as high as possible to block malware attachments
  • Consider 24x7x365 Cyber Security Operations Center security monitoring for your network
  • Ensure that your Anti-Virus scan engines are up to date and contain Endpoint Detection & Response (EDR)
  • Employ monthly external vulnerability scans
  • Conduct periodic external penetration tests of your networks
  • Use a Managed Services Provider that offers Managed Security as a Service as well 


Kessem, L. (2016, January 1). Mitigating Malware in a Modern, Mobile World. Retrieved from

Kessem, L. (2017, July 19). TrickBot Habla Español: Trojan Widens Its Attack Scope in Spain, Brings Redirection Attacks to Local Banks. Retrieved from

Kessem, L. (2017, April 27). TrickBot Is Hand-Picking Private Banks for Targets — With Redirection Attacks in Tow! Retrieved from

Mimoso, M. (2016, October 17). TRICKBOT BANKING TROJAN COULD BE DYRE REWRITE. Retrieved from

Paganini, P. (2017, June 26). TrickBot gang is back with new campaigns targeting Payment Processors and CRM Providers. Retrieved from

Spring, T. (2017, July 21). Trickbot Malware Now Targets US Banks. Retrieved from

Originally published on September 28, 2017

Be a thought leader and share:

Subscribe to Our Blog

About the Author

Cybersecurity and Compliance Cybersecurity and Compliance

Organizations entrust Centre with protecting their technology ecosystem and strengthening their security posture. Centre’s cybersecurity and compliance solutions delivers layered IT security to protect businesses’ employees, customers, and content from known and unknown threats. Through employee awareness training, detailed security assessments, and 24x7 threat containment, Centre is a trusted partner for businesses seeking comprehensive network and data protection. Learn more about Cybersecurity and Compliance »

Follow on LinkedIn »