Financial malware is evolving through collaboration between malware creators, according to the results of Kaspersky Lab’s IT threat evolution report for Q2. During the quarter, Kaspersky Lab products blocked 1,132,031 financial malware attacks on users, a rise of 15.6% compared to the previous quarter.
One of the reasons for the rise is the collaboration between the authors of two leading banking Trojans, Gozi Trojan and Nymaim Trojan, pushing both into the top 10 ranking of financial malware.
Banking Trojans remain the most dangerous online threats. These malware are often propagated via compromised or fraudulent websites and spam emails and after infecting users, they mimic an official online banking page in an attempt to steal users’ personal information such as bank account details, passwords or payment card details.
According to the Kaspersky Lab statistics for the quarter, Turkey was the country most attacked by this type of malware. 3.45% of Kaspersky Lab product users in the country encountered such online threats during the quarter. Russia was in second place, being the target of 2.9% of online threats, followed by Brazil at 2.6%. The Olympic Games is likely to push Brazil up the attack list in Q3.
Main culprits
The main culprits were the Gozi and Nymaim banking Trojans, with the authors of both joining forces. The Nymain Trojan was initially designed as ransomware, blocking access to users’ valuable data and then demanding a ransom to unblock it. However, the latest version includes banking Trojan functionality from Gozi source code that provides attackers with remote access to victims’ PCs.
Additional and apparently joint efforts have been put into the distribution of this malware and this cooperation pushed both into the top 10 financial malware rating. Gozi was in second place with 3.8% of users whose security software triggered a financial malware detection, while Nymaim was in sixth place with 1.9%. The list of financial malware continues to be led by Zbot. 15.17% of those hit by financial malware were attacked by this Trojan.
“Financial malware is still active and developing rapidly,” notes Denis Makrushin, Security Expert at Kaspersky Lab. Makrushin adds that new banking Trojans have significantly extended their functionality by adding new modules such as ransomware.
“If criminals do not succeed in stealing users’ personal data, they will encrypt it and demand a ransom,” warns Makrushin. Yet another example is the Neurevt Trojan family. This malware was used not only to steal data in online banking systems, but also to send out spam.
The report also reveals that in total, Kaspersky Lab products blocked 171,895,830 online attacks against users in Q2. Malware originated in 191 countries, although an overwhelming 81% came from just ten countries, led by the United States (35.4%), Russia (10.3%) and Germany (8.9%).
Kaspersky Lab’s security solutions recognized 54,539,948 unique URLs as malicious, a 17% decrease on the same quarter in 2015. At least every fifth PC user faced web-attacks during the quarter.
Kaspersky Lab products also detected 16,119,489 unique malicious objects, including scripts, exploits, executable files, etc.
The safest countries for online activity were Canada (15%), Romania (14.6%) and Belgium (13.7%), while the countries at highest risk of Internet infection were Azerbaijan (32.1%), Russia (30.8%) and China (29.4%).