The financial malware arena became a mainstream issue a little over a decade ago with the rise of malware like the Zeus Trojan, which at the time was the first commercial banking Trojan available to the cybercrime world.
We have come a long way since, and the past decade saw banking Trojans become increasingly sophisticated, specialized and exclusive, operated by elite cybercrime gangs hailing out of Eastern Europe. But these Trojans have not only improved their code level, their stealthy inner workings and their anti-security tool evasion. Rather, the human side of the organized crime gangs who wield these Trojans has grown in sophistication, malicious motivations and the variety of monetization schemes they tie themselves to.
A chart of the most active Trojan families in this category for 2019 looks rather similar to the one we produced in the 2018 annual roundup. The list features TrickBot at the top of the chart, followed by Gozi and Ramnit. All these Trojans are operated by organized groups that offer up varying business models to other cybercrime actors, such as botnet-as-a-service schemes and distribution through compromised assets they control.
Figure 1: Top banking Trojan families per 2019 activity (Source: IBM X-Force)
The gang operating TrickBot was by far the most active crimeware group in the cybercrime arena in 2019. This activity was expressed in various aspects, including:
Frequency of code updates and fixes (code, version and feature evolution)
Frequency and scale of infection campaigns
Frequency and volume of attack activity
Download the X-Force Threat Intelligence Index 2020
