2015 saw an up and down pattern in the amount of attacks using banking trojans, with Dridex taking on a dominant position.
G DATA has released its H2 2015 Malware Report, which found that attacks by banking trojans mainly targeted English-speaking countries, with 80% of all target sites located in the Anglophone region.
“In the beginning of the second half of 2015, it initially appeared that attacks by banking trojans had been significantly reduced,” said Tim Berghoff, security evangelist, G DATA. “In fact, Swatbanker, a previously dominant trojan, almost completely disappeared from the picture. However, in December, our researchers found that Dridex was responsible for a huge wave of attacks through phishing emails, showing that banking trojans are clearly still a major concern.”
In all, there were 5,143,784 new malware variants in 2015—just under the amount for 2014. Following a rapid increase in the second half of 2014 and the first half of 2015, the outbreaks appeared to have abated. In the second half of the year, G DATA’s security researchers recorded a total of 2,098,062 new signature variants, which is 31% less than the first half.
At the beginning of the half-year, no Trojan held a dominant position. In July, 25% fewer Trojan attacks were recorded than in the previous month, and this figure halved again in August. However, as the second half of the year unfolded, there was a resurgence in the level of attacks, and in October the level of infection reached that of July again.
In November, a major Russian cybercrime ring was broken up. A connection with the Dyreza Trojan was suspected, the activities of which were virtually eliminated after the group was taken down. In addition, Tinba and also ZeuS, together with all its variants, were subsequently recorded much more rarely, with the result that the level of attack for November was only slightly above that of August again.
In December, the already well-known banking Trojan Dridex built up a significant lead. The criminals behind Dridex used spam email containing fictitious invoices or supposed tax refunds to lure recipients into their trap. Overall the level of infection ended up back at that for July.
“It is hard to predict the continued development of the existing players,” G-DATA said in the report. “For example, it is questionable whether the attackers behind Swatbanker will return with their previous intensity in the foreseeable future. The attackers behind Dridex are distributing their malware as the Swatbanker attackers did previously, primarily via spam email. However, the attacks here appear to be occurring more constantly and not intermittently, as with Swatbanker. We expect Dridex to continue to have a significant proportion of the detections in the coming months. Gozi was equally constant, so further attacks can be expected from this as well.”
The decreasing volume of attacks might ultimately hint at a paradigm shift on the part of the attackers. While the attacks in recent years have primarily targeted the masses, the focus here might be moving more towards smaller yet particularly lucrative targets—especially corporate accounts.
Photo © Franck Boston