Skip to content

Intelligence received at the Scottish Business Resilience Centre is warning of a current and active banking trojan campaign seen in the UK and around the globe.

The new malware is evading signature-based antivirus detection by adding junk data to make the code too big for some security tools to handle due to file size limitations – a method known as binary padding. The malware has also been seen compressing and encrypting its executables to avoid detection, a technique known as software padding.

Banking trojans are a form of malware used mainly to steal banking credentials. A trojan is a type of malware that hides within a seemingly legitimate application – the name comes from the famous Greek story of Odysseus’s plan to get his men into the walled city of Troy using a giant wooden horse.

Trojans have several hiding methods. While some may hide in programs downloaded from unsafe sites on the internet, such as illegal copies of games or free software, others come within email attachments disguised as typical Word documents, PDFs, or zip files.

Preventions:

The use of binary and software padding to evade signature-based detection highlights the need for additional heuristic-based malware detection in organisations. This could include having an antivirus that analyses files to check for their purpose, destination, and intent and emulating files in a controlled virtual environment to test for malicious actions. Additionally, malware using the above evasion methods can be detected by assessing file metadata for known software packers or artefacts of packaging techniques.

Having strict security rules on which devices staff can be used for work within your organisation and what files can be downloaded onto work devices can help prevent malware from accessing your network.

To protect your organisation against malware:

  • Ensure that a system administrator must approve any new software before being downloaded.
  • Keep your antivirus turned on and updated on all work devices.
  • Regularly check that all your devices and software are on the latest updates.
  • Limit the use of USB drives within your organisation. You can do this by blocking access to physical USB ports to most users and only allowing approved drives to be used with your organisation’s devices (and nowhere else).
  • Teach colleagues about the dangers of malware and where it can originate from, such as from phishing emails or malicious or compromised websites.
  • Use a non-administrator account for day-to-day activities – only use admin accounts for administrative purposes on your network.