Banking Trojans flood the enterprise, Android attacks surge

Kaspersky Labs detected 900,000 attacks against users in 2018 alone.
Written by Charlie Osborne, Contributing Writer on

The use of financial and banking Trojans against organizations and consumers alike is a problem which is steadily growing, with frequent attacks being recorded against enterprise organizations.

On Thursday, researchers from Kaspersky Labs revealed some interesting data relating to the use of financial malware, which was detected in close to 900,000 attacks against users in 2018 -- an increase of 16 percent in comparison to 767,000 attacks in 2017.

Banking Trojans, including BackSwap, Zeus, Emotet, and Gozi, focus on compromising systems in order to create a persistent backdoor.

This backdoor is used to connect to a command-and-control (C2) server for the purposes of data theft, including online account credentials and keylogs, potentially leading to bank accounts being compromised and identity theft.    

Zbot and Gozi are the most widely-used Trojans -- accounting for over 26 percent and 20 percent of attacked users respectively -- alongside SpyEye, which is attributed to 15.6 percent of campaigns.

See also: DarkHydrus abuses Google Drive to spread RogueRobin Trojan

The cybersecurity firm said that the RTM banking Trojan (.PDF) has also been detected in many of the recent attacks on record, leading to a spike in financial malware activity across the globe.

Now known as Redaman, the malware was also detected in a four-month campaign against Russian citizens by Palo Alto Networks last year, in which phishing campaigns attempted to leverage the threat of debt and debt recovery to entice Russian victims into downloading the Trojan payload.

"When it comes to individual users, we can say that 2018 didn't give them much respite from financial threats," said Oleg Kupreev, security expert at Kaspersky Lab. "We witnessed particular interest in the RTM banking Trojan, whose explosive growth pumped up the figures for 2018."

CNET: Facebook, Twitter: We spot trolls based on how they act, not their posts

The most common method employed by cyberattackers when deploying financial malware is the use of phishing messages. Kaspersky Labs says that in 2018, 44.7 percent of all phishing detections were financially-based, with 14 percent and 8.9 percent of these campaigns relating specifically to payment systems and e-commerce.

Cyberattackers have used well-known brands including Amazon, Mastercard, Visa, and PayPal in mass phishing attempts.


In total, close to 25 percent of 2018's cyberattacks relating to financial malware focused on corporate targets, a percentage which has remained consistent over the past few years.

TechRepublic: 3 things you need in a cybersecurity awareness training plan

Android users are also more commonly becoming targets of financial malware. In 2018, the number of Android users who encountered banking Trojans tripled to roughly 1,800,000 worldwide.

Russia was the most targeted country in 2018 for financial Trojans, accounting for a 22 percent share of all global attacks. Germany followed with a share of over 20 percent. India, Vietnam, Italy, the US, and China also earned a place on the most-targeted list over the course of last year.

In February, Cybereason's Nocturnus Research team outlined the emergence of a new variant of the Astaroth Trojan. Astaroth is being used in active campaigns across Brazil and Europe and has snared thousands of victims so far. The Trojan has an unusual feature, too, which is the leverage of legitimate processes used by traditional antivirus software to steal user data.

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Editorial standards