{ "id": "1473c112-6269-418d-b970-475207a5fced", "created_at": "2026-04-06T00:16:02.193085Z", "updated_at": "2026-04-10T13:11:38.79258Z", "deleted_at": null, "sha1_hash": "00d440e19c381f89c6be5120433e8f470855844c", "title": "Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 348778, "plain_text": "Banking Trojan Techniques: How Financially Motivated Malware\r\nBecame Infrastructure\r\nBy Or Chechik\r\nPublished: 2022-10-31 · Archived: 2026-04-05 22:24:27 UTC\r\nExecutive Summary\r\nWhile advanced persistent threats get the most breathless coverage in the news, many threat actors have money on\r\ntheir mind rather than espionage. You can learn a lot about the innovations used by these financially motivated\r\ngroups by watching banking Trojans.\r\nBecause attackers constantly create new techniques to evade detection and perform malicious acts, studying\r\nmonetarily motivated malware can help defenders understand threat actor tactics and protect organizations more\r\neffectively. Some of the banking Trojans described here are historically known for being financial malware, but\r\nnow they’re primarily used as infrastructure to deliver other malware. Which is to say, by preventing techniques\r\nused by banking Trojans, you can also stop other types of threats.\r\nWe’ll survey techniques used by notorious banking Trojan families to evade detection, steal sensitive data and\r\nmanipulate data. We’ll also describe how those techniques can be blocked. These families include Zeus, Kronos,\r\nTrickbot, IcedID, Emotet and Dridex.\r\nPalo Alto Networks customers are protected from such attacks using Cortex XDR and WildFire.\r\nWhat Are Webinjects?\r\nWebinjects are modules that can inject HTML or JavaScript before a web page is rendered, and are often used to\r\ntrick users. They are known to be abused by banking Trojans, as well as being employed to steal credentials and\r\nmanipulate form data inside web pages. In most banking Trojan families, there is at least one webinjects module.\r\nAn early stager of the banking Trojan usually injects the banking Trojan’s main bot into a Windows process, and\r\nthat process injects the webinjects module into the machine’s available web browser processes as shown in Figure\r\n1.\r\nhttps://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n\r\nPage 1 of 14\n\nFigure 1. Trickbot goes through processes one by one to find browsers to inject with its webinjects\r\nmodule, using a stealthy technique known as reflective injection.\r\nThe webinjects module hooks the API calls responsible for sending, receiving or encrypting data sent to a web\r\nserver. By intercepting the data before it is encrypted, the malware can read HTTP-POST headers and manipulate\r\nthem on the fly.\r\nhttps://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n\r\nPage 2 of 14\n\nFigure 2. Trickbot webinjects module placing hooks based on the browser.\r\nhttps://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n\r\nPage 3 of 14\n\nFigure 3. Trickbot placing hooks on wininet.dll functions.\r\nBy fully controlling the HTTP headers just before the webpage is rendered, the malware can completely modify\r\nthe forms and fool the user. The malware may inject HTML or JavaScript code to trick the user into inserting\r\nsensitive information, such as a PIN code or credit card number, enabling the malware to collect it. The malware\r\ncan extract this information and send it to its command and control (C2) server without actually sending the\r\nforged headers to the targeted web page server.\r\nChrome (chrome.dll) Firefox (nspr3.dll / nspr4.dll) Internet Explorer / Edge (Wininet.dll)\r\nssl_read PR_Read HttpSendRequest\r\nssl_write PR_Connect InternetCloseHandle\r\nPR_Close InternetReadFile\r\nPR_Write InternetQueryDataAvailable\r\nHttpQueryInfo\r\nInternetWriteFile\r\nHttpEndRequest\r\nhttps://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n\r\nPage 4 of 14\n\nInternetQueryOption\r\nInternetSetOption\r\nHttpOpenRequest\r\nInternetConnect\r\nTable 1. Frequently hooked API functions.\r\nHow to Detect Webinjects\r\nThis technique can be prevented by detecting an injection into a web browser process. The injected thread calls\r\nthe NtProtectVirtualMemory function where the NewAccessProtection argument is\r\nPAGE_EXECUTE_READWRITE and the BaseAddress argument is an address to a library function targeted by\r\nbanking Trojans.\r\nFor example, Trickbot uses both VirtualProtect and VirtualProtectEx in its various versions. Inspecting\r\nNtProtectVirtualMemory calls covers both.\r\nSome banking Trojans opt to avoid code injection. Instead, they suspend the remote process threads and install the\r\nhooks remotely. Inspecting remote NtProtectVirtualMemory calls can detect this variant technique.\r\nFigure 4. NtProtectVirtualMemory prototype.\r\nInfecting Web Browsers During Process Creation\r\nSome banking Trojans aim to infect a target process as soon as it is launched, by injecting code into a predicted\r\nparent process of the real target. Once the banking Trojan executes in the context of the parent process, it hooks\r\nprocess creation library functions and waits until the real target is created.\r\nhttps://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n\r\nPage 5 of 14\n\nInside the hook, the banking Trojan manipulates the process creation flow. Then, for example, it initializes the\r\nwebinjects module inside the remote process. The explorer.exe and runtimebroker.exe parent processes are\r\nfrequently abused for this goal, as they usually launch the real targets.\r\nFor instance, the Karius banking Trojan used this technique by injecting code into explorer.exe and hooking\r\nCreateProcessInternalW. The Trojan’s hook handler looked for a spawned web browser process and injected the\r\nmalicious webinjects module into it.\r\nHow to Prevent Attempts to Infect Web Browsers During Process Creation\r\nThis technique can be prevented by looking for an injection into explorer.exe or runtimebroker.exe, where the\r\ninjected thread hooks process creation functions like NtCreateUserProcess, NtCreateProcessEx,\r\nCreateProcessInternalW, CreateProcessA or CreateProcessW.\r\nNamed Pipe Communication Between Injected Processes\r\nMany banking Trojans use named pipes to communicate with various processes under the threat actor’s control.\r\nTo do this, they inject their main bot into a Windows process, and then inject their other modules into different\r\nprocesses according to the module’s purpose. They then establish communication between the different processes\r\nusing named pipes.\r\nFor example, Trickbot injects the main bot into svchost.exe. It creates a named pipe server and reflectively injects\r\nthe webinjects module into web browsers. This injected module connects to the same named pipe as a client to\r\ncommunicate to the main bot and deliver the fetched credentials to the C2 server.\r\nhttps://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n\r\nPage 6 of 14\n\nFigure 5. Trickbot named pipe server.\r\nHow to Prevent Named Pipe Communication Between Injected Processes\r\nThis technique can be prevented by inspecting named-pipe events. An injected thread creates a named pipe inside\r\na Windows process, and then another injected thread that lives inside a web browser attempts to connect to that\r\nsame named pipe.\r\nHeaven’s Gate Injection Technique\r\nHeaven's Gate is a technique used by malware, which enables a 32-bit (WoW64) process to execute 64-bit code by\r\nperforming a far jump/call using segment selector 0x33. Modern malware uses Heaven's Gate to inject into both\r\n64-bit and 32-bit processes from a single 32-bit process on x64 systems. This bypasses WoW64 API hooks, it\r\nhinders analysis on some debuggers, and it fails emulation on some sandboxes.\r\nEven though this method is old, it is still effective and frequently used.\r\nTrickbot and Emotet loaders use Heaven's Gate for process hollowing from a WoW64 process into a 64-bit\r\nsvchost.exe (For more about process hollowing, see the section on Evasive Process Hollowing By Entrypoint\r\nPatching below). The architecture of these two banking Trojans dictates that their main bot persists inside\r\nsvchost.exe while the web content manipulation and credential stealing modules live inside the browser processes.\r\nFigure 6. Emotet using Heaven's Gate in its Microsoft Outlook Messaging API (MAPI) module.\r\nhttps://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n\r\nPage 7 of 14\n\nHow to Prevent Heaven's Gate\r\nA WoW64 process usually goes through the wow64cpu.dll to perform the transition to x64 CPU mode. Heaven's\r\nGate does this transition manually.\r\nPrevention methods can find Heaven's Gate by inspecting whether a WoW64 process system call didn’t go\r\nthrough the wow64cpu.dll. This can be done by placing hooks on critical APIs, generating a stack trace and\r\ninspecting the stack trace for wow64cpu.dll.\r\nFigure 7. WoW64’s normal syscall flow.\r\nEvasive Process Hollowing by Entrypoint Patching\r\nProcess hollowing is a process injection technique that creates a new legitimate process in a suspended mode,\r\nunmaps its main image and replaces it with malicious code. The malicious code is written into the newly created\r\nprocess and the suspended thread context instruction pointer is changed using\r\nNtGetContextThread/NtSetContextThread.\r\nSecurity product vendors check for main image unmapping combined with the usage of\r\nNtGetContextThread/NtSetContextThread to detect process hollowing.\r\nA known technique for evading detection is to patch the process entry point with a small jump that redirects\r\nexecution to the payload without actually using NtGetContextThread/NtSetContextThread functions or\r\nunmapping the main image. For example, Trickbot and Kronos have both used this technique.\r\nKronos mapped a suspended svchost.exe into its own process and patched it in its own memory address space.\r\nSimilar to other banking Trojans, Kronos' main module ran within svchost.exe and orchestrated the whole\r\noperation from the remote svchost.exe process.\r\nTrickbot implemented process hollowing by first using VirtualProtectEx on the process entrypoint, and then\r\nwriting the hook stub using WriteProcessMemory.\r\nhttps://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n\r\nPage 8 of 14\n\nFigure 8. Kronos mapping svchost.exe and patching its entrypoint.\r\nFigure 9. Kronos hook stub template – x86 opcodes for push and ret.\r\nHow to Prevent Evasive Process Hollowing by Entrypoint Patching\r\nhttps://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n\r\nPage 9 of 14\n\nThis technique can be prevented either by inspecting whether the address argument provided to the calls of\r\nNtWriteVirtualMemory or NtProtectVirtualMemory is a remote process entry point or by detecting suspicious\r\nremote mapping and reading of svchost.exe memory.\r\nPE Injection\r\nCommon injection methods used by banking Trojans involve writing a mapped PE into a remote process using\r\nWriteProcessMemory. Some malware families try to obscure the call by wiping artifacts from the buffer, such as\r\nwiping the PE header.\r\nFor example, Zeus variants use this technique to inject themselves into other processes, allowing them to stay\r\nhidden, as well as to perform webinjects and to perpetrate financial data theft.\r\nFigure 10. Zeus injection code from its leaked source code.\r\nHow to Prevent PE Injection\r\nThis technique can be prevented by inspecting the buffer sent to NtWriteVirtualMemory for executable artifacts.\r\nProcess Injection via Hooking\r\nHooking can be used as an injection technique. Injecting a banking Trojan’s main payload into a legitimate-looking process maintains stealth and helps avoid endpoint protection detection.\r\nThis technique utilizes hooking to get code execution, usually by hooking a frequently called API function with a\r\njump to a payload/shellcode. This avoids calling any suspicious APIs often used in code injection techniques like\r\nhttps://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n\r\nPage 10 of 14\n\nCreateRemoteThread or NtSetContextThread.\r\nFor instance, IcedID injects its main bot into a hollowed instance of svchost.exe using API hooking. This is also\r\nknown as the ZwClose technique (ZwClose was the hooked API in Zberp, the first to employ this injection\r\ntechnique in the wild).\r\nThe injection flow of IcedID is slightly different than that of Zberp. It first hooks NtCreateUserProcess and then\r\ncalls CreateProcessA to create svchost.exe without any special parameters or argument. In a regular flow, the\r\nnewly created svchost.exe should terminate right away.\r\nFigure 11. IcedID initiates svchost.exe hooking.\r\nFigure 12. IcedID hooks NtCreateUserProcess.\r\nHowever, because IcedID hooked NtCreateUserProcess, the hook handler is called right after the call to\r\nCreateProcessA. In the handler, it performs the following activities:\r\nUnhooks NtCreateUserProcess\r\nCalls NtCreateUserProcess (which creates svchost.exe)\r\nDecompresses a local buffer that contains the payload to inject using RtlDecompressBuffer\r\nAllocates memory for the payload at the remote svchost.exe process\r\nWrites the payload into the remote svchost.exe using NtAllocateVirtualMemory and\r\nZwWriteVirtualMemory\r\nhttps://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n\r\nPage 11 of 14\n\nFor the execution, IcedID hooks RtlExitUserProcess in the newly created svchost.exe with a jump stub to the\r\npayload. As mentioned, svchost.exe was created without any parameters and it will try to exit. However, due to the\r\nIcedID hook, it will jump to the payload.\r\nFigure 13. IcedID hooks RtlExitUserProcess.\r\nHow to Prevent Injection via Hooking\r\nThis technique can be prevented by inspecting calls to NtProtectVirtualMemory and NtWriteVirtualMemory. The\r\nprovided address argument for NtProtectVirtualMemory is an exported function from one of the Windows\r\nlibraries, and the NtWriteVirtualMemory written buffer is a hooking stub. In both cases, the remote process has to\r\nbe a known injection target.\r\nAtomBombing Injection Technique\r\nAtomBombing is a technique that allows malware to inject code while avoiding calling suspicious APIs that\r\nsecurity vendors are watching. Dridex uses a slightly modified AtomBombing technique that injects one of its\r\nstages into a Windows process (usually explorer.exe) and employs various steps to cause financial data theft.\r\nMalware using the AtomBombing technique first writes the payload into the global atom table, which can be\r\naccessed by all processes. They then dispatch an asynchronous procedure call (APC) to the APC queue of a target\r\nprocess thread using NtQueueApcThread, forcing the target process to call GlobalGetAtomA.\r\nThe target thread then retrieves the payload from the global atom table and inserts it into a read/write (RW) region\r\ninside the target process memory space (a code cave inside the kernelbase.dll data section). The payload has to be\r\nsplit into NULL-terminated strings and an atom is created for each string.\r\nFor the execution, the injector process dispatches another APC using NtQueueApcThread to force the remote\r\nprocess to execute NtSetContextThread. The injected process then calls NtSetContextThread, which invokes a\r\nreturn-oriented programming (ROP) chain that allocates execute/read/write (RWX) memory. The ROP chain then\r\ncopies the payload from the RW region into the newly allocated RWX region, and lastly, executes it.\r\nhttps://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n\r\nPage 12 of 14\n\nThe unique idea behind AtomBombing is the write-primitive, which allows writing to the remote process using\r\natom tables and APC.\r\nDridex uses a variation of AtomBombing that queues an APC to call memset to clean an RW region in ntdll.dll.\r\nThen, it copies the payload and its import table into the target process using the same write technique into the\r\nntdll.dll RW region.\r\nFor the execution, Dridex modifies the copied payload memory into executable memory using\r\nNtProtectVirtualMemory. Then it hooks GlobalGetAtomA by calling NtProtectVirtualMemory and by using the\r\nsame write primitive. Finally, it queues an APC into the patched GlobalGetAtomA to get the payload running.\r\nFigure 14. AtomBombing proof of concept code.\r\nHow to Prevent AtomBombing and its Variants\r\nThese techniques can be prevented by inspecting whether the arguments provided to\r\nNtQueueApcThread/NtSetContextThread calls point to a suspicious API – the APC routine argument in the case\r\nof NtQueueApcThread, or the new instruction pointer in the context argument in the case of NtSetContextThread.\r\nBoth API calls have to be called into a remote process.\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n\r\nPage 13 of 14\n\nThreat actors who are in it for the money use a wide range of malware techniques for injection and financial fraud,\r\nand they are always looking for new ways to develop evasive techniques. We have explored some of the more\r\ninteresting banking Trojan techniques and how they’re used to steal victims’ sensitive data. And finally, we\r\ndescribe how these techniques can be used to detect malicious behavior, so it can be prevented.\r\nPalo Alto Networks customers using Cortex XDR receive protections from such attacks in different layers,\r\nincluding the following:\r\nLocal Analysis Machine Learning module\r\nBehavioral Threat Protection\r\nBehavioral indicators of compromise (BIOC) and Analytics BIOCs rules\r\nThese layers identify the tactics and techniques that banking Trojans use at different stages of their execution.\r\nPalo Alto Networks customers also receive protections against the attacks discussed here through the WildFire\r\ncloud-delivered security subscription for the Next-Generation Firewall.\r\nIndicators of Compromise\r\nTrickbot\r\ntestnewinj32Dll.dll: 4becc0d518a97cc31427cd08348958cda4e00487c7ec0ac38fdcd53bbe36b5cc\r\nWebinjects: ef6603a7ef46177ecba194148f72d396d0ddae47e3d6e86cf43085e34b3a64d4\r\nEmotet: dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740\r\nKronos: aad98f57ce0d2d2bb1494d82157d07e1f80fb6ee02dd5f95cd6a1a2dc40141bc\r\nZeus: 0f409bc42d5cd8d28abf6d950066e991bf9f4c7bd0e234d6af9754af7ad52aa6\r\nIcedID: 358af26358a436a38d75ac5de22ae07c4d59a8d50241f4fff02c489aa69e462f\r\nDridex: ffbd79ba40502a1373b8991909739a60a95e745829d2e15c4d312176bbfb5b3e\r\nSource: https://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n\r\nhttps://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n" ], "report_names": [ "#post-125550-_rm3d6xxbk52n" ], "threat_actors": [], "ts_created_at": 1775434562, "ts_updated_at": 1775826698, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/00d440e19c381f89c6be5120433e8f470855844c.pdf", "text": "https://archive.orkl.eu/00d440e19c381f89c6be5120433e8f470855844c.txt", "img": "https://archive.orkl.eu/00d440e19c381f89c6be5120433e8f470855844c.jpg" } }