Since publishing information about top banking botnets and takedown efforts in 2014, Dell SecureWorks Counter Threat Unit™ (CTU) security intelligence researchers have observed cybercriminals learning from past experience and quickly adapting when banks and other financial institutions improve their security measures. Takedown efforts continued in 2015, with global law enforcement partnering with organizations in the private sector to launch operations targeting two of the most active banking botnets: Ramnit and Bugat v5 (Dridex). Europol collaborated with multiple law enforcement and industry partners in early 2015 to seize servers and other important infrastructure owned by the group operating the Ramnit botnet. In the fall of 2015, the CTU™ research team collaborated with the UK National Crime Agency (NCA), the U.S. Federal Bureau of Investigation (FBI), and the Shadowserver Foundation to take over the Bugat v5 banking botnet.
Threats are becoming more sophisticated, incorporating emerging technologies, advanced cryptography, and resilient infrastructure to resist surveillance and disruption. Modifications to banking trojans support stealing bank credentials and website cookies to impersonate victims, searching hard disks for specific files, granting threat actors remote access to a computer, and allowing threat actors to exfiltrate stolen information or download additional malware. Cybercriminals are also expanding beyond traditional banking botnets to evolve new attack vectors. CTU researchers observed an increase in persistent attacks targeting specific organizations to compromise financial accounts, illustrating use of a delivery method that was previously used only in advanced persistent threat (APT) attacks. With banks continuously moving to the mobile platform for payment and banking applications, cybercriminals’ interest in targeting mobile banking services has increased. Attacks on mobile banking platforms, as well as advancements in bypassing advanced authentication mechanisms like two-factor authentication (2FA) and transaction authentication numbers (TANs), evolved in 2015.