HomesecurityBanking malware: The most dangerous trojans that have ever existed!

Banking malware: The most dangerous trojans that have ever existed!

Cyber ​​attacks are one of the most important issues these days. The threats are many and the attackers have many tools at their disposal to target unsuspecting users. A significant threat is the so-called banking malware, which in most cases are banking trojans stealing user credentials.

Here we will see some of the most dangerous and advanced banking malware targeted organizations and users.

Banking malware

But first, we will explain the basic concepts of trojan and banking malware.

What is one banking malware and how does it work?

A banking malware / Trojan is a malicious program that attempts to gain access to confidential information stored or processed through online banking systems.

In general, the trojan is a very common term when talking about banking malware. The banking trojans appear as legitimate applications, but are actually trying to steal information and avoid detection. For this reason they are also called trojan malware. This name is given by the classic trick of the Trojan Horse in the Trojan War.

See also: Malicious Telegram installer installs Purple Fox malware on infected machines

Unfortunately for the average person, banking trojans are extremely sophisticated and often change strategies. They can attack online banking institutions and even steal money from personal or business bank accounts.

Of course, banking malware attacks are not new. Most banks have been offering online banking for many years and criminals have been quick to find ways to capitalize on this new trend.

The banks quickly realized that they were attractive targets for the attackers and responded by enhancing the security of their systems. In turn, criminals soon realized that it was difficult to attack the institutions themselves and so turned to customers.

Theft of customer credentials was an easier method of attack and somehow the first banking trojans were created. Over the years, criminals have evolved their techniques and created more powerful and insidious malware.

Let's see some of the most dangerous banking trojan malware that have existed:

Banking malware


One of the most popular malware. It was first spotted by security researchers in 2014 as a simple banking trojan, but it soon became one of the most dangerous malware of all time. Later versions were more sophisticated allowing other banking trojans to be installed on infected machines.

The technique of using one piece of malware to install another is not new. Since September 2018, Emotet has used Windows EternalBlue vulnerability to spread to a large number of machines.

Also, the main method of distribution was malicious attachments in phishing emails, while they were often used as a first step for a ransomware attack.

In January 2021, Emotet's infrastructure was destroyed thanks to a coordinated police operation. However, about two months ago, researchers have discovered new malware attacks.

Banking malware

Zbot / Zeus

Zeus, also known as Zbot, has been one of the most widespread banking Trojans. It first appeared in 2007 and targeted users Windows in order to obtain confidential information from infected computers, mainly through man-in-the-browser attacks and techniques keylogging.

Also, the basic method of distribution was drive-by downloads and the Phishing. After installing on the machine, the trojan tried to download configuration files and updates from the Internet.

Zeus files are created and customized using a Trojan-building toolkit, which is available online for cyber criminals.

Zeus was created to steal private data from infected systems, such as system information, passwords, bank credentials, or other financial information.

According to investigators, the creator of the trojan allegedly "withdrew" and sold the source code to the developer of SpyEye, another banking trojan. Over the years, however, various variations have been created.

See also: The FinalSite ransomware attack shuts down thousands of school websites

Some are able to avoid detection and others are designed to generate revenue through a pay-per-click model. Although the original version of Zeus was largely treated by anti-virus software, it is still dangerous through its many variants.

Banking malware


SpyEye is a data theft malware (similar to Zeus) created for theft of money from online bank accounts. It was first detected in 2009 and targeted Windows users using popular browsers.

This malware is capable of stealing bank credentials, social security numbers and financial information that could be used to empty victims' bank accounts.

SpyEye Trojan contains one keylogger trying to steal login credentials for an online bank account. In addition to its activities, SpyEye initially tried to remove the competing Trojan Zeus from the target machines.

In 2010, one of the creators of Zeus reportedly shared the trojan source code with SpyEye developers and merged the two toolkits. In 2016, a Russian and an Algerian were sentenced to prison for developing and distributing SpyEye.

banking trojans


The creators of Shylock clearly valued Shakespeare as this trojan got its name from the Merchant of Venice. Appeared in July 2011.

Using man-in-the-browser attacks, the trojan stole bank credentials and tricked users into transferring money to accounts controlled by attackers.

It continued to expand during 2012 and maintained its presence until 2014. Unlike other banking trojans, Shylock targeted specific areas, mainly the United Kingdom, although some US banking institutions also appeared on the list of targets.

In July 2014, an Eastern European gang linked to Shylock was forced to shut down domains and servers.



The malicious software TrickBot aims in financial information of the user and is usually spread through malicious emails. It was first mentioned in 2016.

His first targets were banks from Australia, the United Kingdom and Canada, as well as German and US credit card companies.

While created as a banking Trojan, TrickBot evolved into modular Multi-stage malware which provides its operators with many tools to carry out a huge number of illegal activities.

It is known to use man-in-the-browser attacks to obtain information such as credentials and can use macros in Excel documents to download and develop malware on users's devices.

See also: Report: Increased attacks by ransomware team PYSA, double blackmail technique and new tactics

TrickBot is associated with some of the most well-known cyber-attacks, as it is often the starting point for a ransomware attack.



A variation of Zeus, first discovered in Brazil in 2016.

Panda uses many of Zeus' traditional techniques, including attacks man-in-the-browser (MITB) and keylogging, but stands out due to its advanced stealth capabilities.

This has made the analysis of malware more difficult.

A Panda attack can start with spam messages with malicious attachments.

This banking malware has targeted financial institutions, cryptocurrency exchange services, as well as social media sites.


It first appeared in mid-2018 targeting Australian users, but then started targeting European banks and email providers, as well as US companies. Banking malware DanaBot banking has many variations and works like malware-as-a-service.

Multi-stage infection starts with a dropper that causes a gradual evolution of hacks.

These hacks include theft of network requests, collection of credentials, removal of sensitive information, ransomware attack, spyware and cryptominer installation.


Bizarro is one of the latest banking trojans, which mainly scans Europe and large parts of it South America, trying to steal consumer financial information and mobile crypto wallets.

Many of the victims of this trojan are from Italy, France, Spain and Portugal, but Bizzaro is believed to have originated in Brazil.

Malware is spreading either through malicious links contained in spam emails, either through a trojanized application.

After installing malware on the target device, complex backdoor allows criminals to use keyloggers to collect personal login information, but also to order the victim's crypto wallet.

How to protect yourself from banking malware;

What can users do?

  • Update all software and systems.
  • Download applications and files only from trusted sources.
  • Use two-factor authentication, where possible, and implement all the security features offered by the online banking service.
  • Use a password manager.
  • Training for detecting phishing emails.

What can businesses do?

  • Training of employees for cyber threat identification.
  • Use a powerful and reliable firewall.
  • Install a privileged access management solution so that no intruder can access the IT infrastructure.
  • Use traffic filtering solution to detect hidden network threats.

Digital fortress
Pursue Your Dreams & Live!