A new banking trojan is seen in the UK evading antivirus detection

13.10.22

Threat Intelligence Alerts

Intelligence received at the Scottish Business Resilience Centre is warning of a current and active banking trojan campaign seen in the UK and around the globe.

The new malware is evading signature-based antivirus detection by adding junk data to make the code too big for some security tools to handle due to file size limitations – a method known as binary padding. The malware has also been seen compressing and encrypting its executables to avoid detection, a technique known as software padding.

Banking trojans are a form of malware used mainly to steal banking credentials. A trojan is a type of malware that hides within a seemingly legitimate application – the name comes from the famous Greek story of Odysseus’s plan to get his men into the walled city of Troy using a giant wooden horse.

Trojans have several hiding methods. While some may hide in programs downloaded from unsafe sites on the internet, such as illegal copies of games or free software, others come within email attachments disguised as typical Word documents, PDFs, or zip files.

Preventions:

The use of binary and software padding to evade signature-based detection highlights the need for additional heuristic-based malware detection in organisations. This could include having an antivirus that analyses files to check for their purpose, destination, and intent and emulating files in a controlled virtual environment to test for malicious actions. Additionally, malware using the above evasion methods can be detected by assessing file metadata for known software packers or artefacts of packaging techniques.

Having strict security rules on which devices staff can be used for work within your organisation and what files can be downloaded onto work devices can help prevent malware from accessing your network.

To protect your organisation against malware: