By Moshe Hayun, threat intelligence team leader at Deep Instinct

The financial sector is going through a period of rapid innovation. Crypto, open banking and the digital payments revolution are reshaping the industry, offering consumers and businesses exciting new capabilities.

However, the new dawn has a dark side. Cybercriminals are innovating just as quickly as banks, fintechs and other financial institutions. The digital nature of modern finance offers many benefits to all players in the system, yet simultaneously creates vast numbers of new vulnerabilities for threat actors to exploit.

Financial institutions need to move quickly to protect themselves in the new era of digital finance. To find out more about how they can stay safe, we spoke to Moshe Hayun, threat intelligence team leader at  Deep Instinct.

Why is the financial industry such a popular target for threat actors and which malware families were responsible for the majority of attacks on the sector?

Cybercriminals are found wherever there is money to be earned. Which does not necessarily mean they are emptying accounts and robbing virtual vaults like digital bank robbers. Criminals certainly steal money, but not in the same way as old-fashioned crooks. The data that financial institutions hold is extremely sensitive and therefore valuable. This can be stolen and sold or encrypted during a ransomware attack and only unlocked when the victim agrees to pay a ransom.

When we talk about malware families, we are not talking about crime families like the Mafia, but different strains of malicious software designed to perform specific tasks or attacks. There are five families which should be of particular concern to the financial sector.

The first is Dridex, which is a highly active family of banking trojan – the name for malware that disguises malicious code as a legitimate file. As the name suggests, a trojan is designed to sneak behind an organisation’s defences (or, more accurately, trick defenders into bringing it beyond the perimeter themselves). It is part of a family that was first observed in the wild back in 2011, when its predecessor, Cridex, was first used to steal banking information to enable fraudulent transactions. The first version of Dridex was identified in 2014. Since then, it has become one of the most infamous financial malware families.

The second malware family the financial sector should be concerned about is Trickbot, which is a sophisticated form of malware used to target individuals, businesses, and large enterprises to steal financial data, personal information and bank account credentials. Once this information is obtained, it can be used to carry out financial fraud and identity theft.

Trickbot first appeared in 2016. It is spread using boobytrapped documents attached to emails. The modular nature of Trickbot allows it to be quickly modified for each campaign, enabling it to evolve new attack techniques and making it harder to detect.

IcedID is another modular banking trojan that has targeted financial businesses in the UK and US in recent years. It has attacked banks, e-commerce players and credit card companies. It works like a worm – a form of malware designed to replicate, spread, and infect more systems. When executed on one machine, IcedID propagates to others and uses simple evasion techniques such as only operating after the machine restarts, making it more difficult to identify and defeat.

The fourth of the top five financial malware families is Zloader, a banking trojan that is a variant of the infamous Zeus banking malware. It is distributed in phishing campaigns or spoofed emails designed to trick victims into downloading and executing the malware. QakBot is the fifth malware family which is of concern to the finance sector. It steals information and has proved very popular since it was first seen in 2009. It is adept at stealing online banking credentials or other financial information and can steal personal data or even record a victim’s keystrokes.

What were the most common techniques used by these threat actors when conducting ransomware attacks?

Each malware family uses different techniques to achieve criminal goals. Malicious macros are one common tactic. What this means is threat actors hide malicious code inside Word documents or other files, which execute when people open them. Dridex uses malicious email attachments containing a Word document laced with a dangerous macro or a PDF loaded with JavaScript. Following a successful infection, Dridex will collect passwords, banking information, credit card details and other sensitive data, which is then transmitted to Command and Control (C&C) servers. Another form of Dridex can steal credentials from cryptocurrency wallets.

Trickbot also steals credentials but has developed many different capabilities during various campaigns. It offers criminals a backdoor into their victims’ networks and can harvest emails. The malware family also possesses a screen-lock, ransomware-style option which is designed to steal system passwords.

Deceit and trickery are common tactics among cybercriminals. IcedID can manipulate the victims’ browser, so they think they are looking at a genuine banking website, complete with a valid SSL certificate, whilst they have actually been redirected to a fake website that is designed to steal credentials.

ZLoader uses Excel macros and other techniques including keylogging to steal information from users. One of its most important abilities is installing a VNC (Virtual Network Computing) server on an infected machine which gives attackers remote access. Qakbot spreads through malspam (malicious spam) and exploit kits that are deployed through compromised websites. If a victim visits the site, QakBot delivers its payload and infects them.

In order to be as evasive as possible, threat actors have also learned to avoid detection by using LOLbins (Living off the Land Binaries), and PowerShell. LOLbins are pre-installed libraries on Windows and attackers use them to help carry out malicious actions. PowerShell is also pre-installed on every Windows 7+ operating system which makes it an ideal tool for post-exploitation. With the use of PowerShell and other libraries in the operating system, bad actors can stay under the radar when targeting finance institutions, making it an ideal threat method for them.

Endpoint Detection Response (EDR) solutions are common across the finance industry- why then, are they not enough?

Endpoint Detection and Response (EDR) is designed to improve security at entry points to networks and systems. It is a popular form of security, with spending on this tech set to double by 2026 to more than $2.5 billion worldwide, according to 360 Research Reports.

However, it has some serious limitations which means organisations should look for better protection. EDR uses automation to detect security threats using digital signatures. Which is useful for finding known threats. However, threats evolve rapidly, and we are seeing a rise in polymorphic malware that changes its appearance as it replicates and spreads. Some of the fastest known malware infects endpoints in less than 15 seconds, and EDR solutions are not useful when it comes to preventing immediate and unknown threats. Instead, EDR detects malware once it is already in the system, and therefore, already too late as the damage may well have been done.

What’s more, EDR solutions often generate a blizzard of false alerts, which are a serious problem. When security staff spend their days investigating non-threats, they risk missing the big ones. EDR is also part of a security stance which involves detecting attacks after they have taken place. It is a sub-optimal solution – which is putting it mildly.

How can deep learning help protect organisations against these financial malware families?

EDR uses automation, but deep learning (DL) is the next step forward. A deep learning solution works like the human brain to identity variants as they emerge and then stop them executing when they enter a network. The technology is independently trained on millions of raw data files, meaning it is able to prevent the most sophisticated and advanced threats, whether they are unknown or zero-day.  DL stops ransomware and other malware pre-execution within 20 milliseconds. It is not possible for any human or manual-based technology to process data at this level of speed and accuracy. This technology does not simply wait for attacks to happen and then help defenders mop up the damage. It is proactive and moves beyond yesterday’s “detect and respond” stance to a “prevent and protect” security posture.

Cybercriminals are always devising new ways to target victims and malware is now built to evolve at a high speed to dodge traditional defences. As such, organisations need to implement solutions that shift the focus from mitigation, to protection. Deep learning is a smarter solution to the growing intelligence of sophisticated malware.

Deep learning is designed to integrate with existing security stacks, so organisations avoid the hassle of replacing existing technology. As well as strengthening the company’s security posture, deep learning helps streamline processes and frees up employee time. For example, once integrated, the technology cuts down the number of alerts received by the security team each week by 25 percent or more. Therefore, less time is wasted on false positives.

In order to combat the ongoing needs and security threats targeting the finance sector, organisations must adapt to technology that can genuinely help prevent cyberattacks and the deceptive nature of the malware targeting the industry. If more finance organisations implemented preventative solutions, then cyber criminals will have less chance of being successful with their attacks, and they’ll be placing the industry back in safe hands.