Threat Analysis

Banking Botnets Persist Despite Takedowns

Download the PDF


Since the Dell SecureWorks Counter Threat Unit™ (CTU™) research team published information about the top banking botnets of 2013, threats to banks and other financial institutions have grown and matured, and cybercriminals have become far more creative and increasingly organized. Although banks and financial institutions constantly improve their security measures to protect their online customers, the introduction of new malware families and the continual improvements to active malware campaigns pose challenges to the organizations and their customers.

Between mid-2014 and early 2015, coordinated efforts involving law enforcement and private-sector industry disrupted three of the most active banking botnets. Global law enforcement partnered with companies across national boundaries to launch two separate operations targeting the Gameover Zeus and Shylock botnets. In Operation Tovar, security researchers exploited design flaws in the Gameover Zeus peer-to-peer (P2P) network, disrupting the criminal infrastructure by manipulating the peer list and redirecting traffic to nodes under the researchers’ control. A few weeks after Operation Tovar, another global operation led to the seizure of command and control (C2) servers and botnet-related domains associated with the Shylock infrastructure. In early 2015, Europol collaborated with multiple law enforcement and industry partners to seize servers and other important infrastructure owned by group behind the Ramnit botnet.

Cybercriminals quickly adapt to countermeasures and takedowns by improving their software and establishing new sophisticated banking botnets. New threats arise with emerging technologies, and attacks on mobile banking platforms and advancements in bypassing standard authentication mechanisms evolved in 2014 and continue to do so.

Key Findings:

CTU analysis of banking botnet activity in 2014 and early 2015 revealed key findings:

  • In addition to traditional banking websites, targets included websites for corporate finance and payroll services, stock trading, social networking, email services, employment portals, entertainment, hosting providers, phone companies, and dating portals.
  • Attackers used banking trojans to target more than 1,400 financial institutions across more than 80 countries.
  • More than 90 percent of banking trojans targeted financial institutions located in the U.S., but institutions in the UK, Germany, Italy, Spain, and Australia were also affected.
  • Attackers focused on targets in Asian countries, where financial institutions implement weaker account security.
  • Dyre, Bugat v5 (also known as Dridex), and Vawtrak (a Gozi variant) emerged after the Gameover Zeus and Shylock takedowns.
  • Botnets increasingly rely on hidden network services such as Tor or the Invisible Internet Project (I2P), which resist surveillance and takedowns.
  • Activity from Zeus and its variants decreased in the second half of 2014, while Dyre, Gozi/Vawtrak, and Bugat v5 activity steadily increased.
  • Dyre and Bugat v5 incorporated private spam mailers, deviating from the "spam as a service" model used by other botnets.
  • There was increased use of Kegotip, Chanitor, Upatre, and Lerspeng as first-stage downloaders/droppers.

Back to more Threat Analyses and Advisories

Talk with an Expert

Thank you for submitting the form! We have received your request. A Secureworks team member will contact you within one business day.