Threat Research

Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure

Securonix

Financially motivated banking Trojans are analyzed for how they evade detection, steal data, and serve as infrastructure to deliver other malware. The article covers families such as Zeus, Kronos, Trickbot, IcedID, Emotet and Dridex, and discusses defenses like Cortex XDR and WildFire. #Zeus #Kronos #Trickbot #IcedID #Emotet #Dridex #Webinjects #HeavensGate #AtomBombing #NamedPipes

Keypoints

  • Banking Trojan families (Zeus, Kronos, Trickbot, IcedID, Emotet, Dridex) are used as infrastructure to deliver other malware, illustrating monetization over espionage.
  • Webinjects inject HTML/JavaScript into browsers to steal credentials and manipulate form data, intercepting HTTP headers before encryption.
  • Infecting web browsers during process creation: attackers inject into a predicted parent process (e.g., explorer.exe) and hook creation APIs to inject into the real target browser.
  • Inter-process communication often uses named pipes to coordinate the main bot and injected modules across processes (e.g., Trickbot’s named pipe server).
  • Heaven’s Gate allows 32-bit processes to execute 64-bit code to evade some defenses and analysis, used by loaders like Trickbot/Emotet.
  • Evasive process hollowing by entrypoint patching and related techniques (e.g., patching entry points) help avoid NtGetContextThread/NtSetContextThread detection.
  • PE injection, process injection via hooking, and AtomBombing illustrate multiple injection vectors used to stay hidden and execute payloads.

MITRE Techniques

  • [T1056.003] Web Form Grabbing – Webinjects manipulate web pages to capture credentials; “By intercepting the data before it is encrypted, the malware can read HTTP-POST headers and manipulate them on the fly.”
  • [T1055] Process Injection – Hooking and the injection of payloads into legitimate processes to achieve code execution; “This technique utilizes hooking to get code execution, usually by hooking a frequently called API function with a jump to a payload/shellcode.”
  • [T1559.001] Inter-Process Communication: Named Pipes – Injected components communicate across processes via named pipes; “They inject their main bot into a Windows process, and then inject their other modules into different processes… They then establish communication between the different processes using named pipes.”
  • [T1055] Process Injection – Heaven’s Gate – 32-bit WoW64 to 64-bit code transitions; “Heaven’s Gate is a technique used by malware, which enables a 32-bit (WoW64) process to execute 64-bit code by performing a far jump/call using segment selector 0x33.”
  • [T1055] Process Injection – Evasive Process Hollowing by Entrypoint Patching – Patch entry point instead of unmapping; “patch the process entry point with a small jump that redirects execution to the payload without actually using NtGetContextThread/NtSetContextThread functions or unmapping the main image.”
  • [T1055] Process Injection – PE Injection – Write a mapped PE into a remote process; “Common injection methods used by banking Trojans involve writing a mapped PE into a remote process using WriteProcessMemory.”
  • [T1055] Process Injection – Process Injection via Hooking – Hooking API calls to execute payloads; “Hooking can be used as an injection technique… by hooking a frequently called API function with a jump to a payload.”
  • [T1055] Process Injection – AtomBombing – APC and atom-table based payload delivery; “AtomBombing is a technique that allows malware to inject code while avoiding calling suspicious APIs… The unique idea behind AtomBombing is the write-primitive, which allows writing to the remote process using atom tables and APC.”

Indicators of Compromise

  • [File Hash] Trickbot (testnewinj32Dll.dll) – 4becc0d518a97cc31427cd08348958cda4e00487c7ec0ac38fdcd53bbe36b5cc
  • [File Hash] Trickbot Webinjects – ef6603a7ef46177ecba194148f72d396d0ddae47e3d6e86cf43085e34b3a64d4
  • [File Hash] Emotet – dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740
  • [File Hash] Kronos – aad98f57ce0d2d2bb1494d82157d07e1f80fb6ee02dd5f95cd6a1a2dc40141bc
  • [File Hash] Zeus – 0f409bc42d5cd8d28abf6d950066e991bf9f4c7bd0e234d6af9754af7ad52aa6
  • [File Hash] IcedID – 358af26358a436a38d75ac5de22ae07c4d59a8d50241f4fff02c489aa69e462f
  • [File Hash] Dridex – ffbd79ba40502a1373b8991909739a60a95e745829d2e15c4d312176bbfb5b3e

Read more: https://unit42.paloaltonetworks.com/banking-trojan-techniques/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint