{ "id": "0e7fb52e-e394-4cbc-bc44-c3b55be291b5", "created_at": "2026-04-13T02:23:07.256327Z", "updated_at": "2026-04-13T02:23:13.789166Z", "deleted_at": null, "sha1_hash": "ec1096e30670e420a81f50742f2d2602eb9a121e", "title": "Banking Trojans Under Development", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 74190, "plain_text": "Banking Trojans Under Development\r\nBy deugenio\r\nPublished: 2018-06-06 · Archived: 2026-04-13 02:11:17 UTC\r\nAlthough banks themselves have taken measures to strengthen the security of their authentication processes,\r\nBanker Trojans, however, are still a popular tool for stealing user’s financial details and draining bank accounts.\r\nThe Check Point Research team recently came across one such banking Trojan under development and already\r\nbeing distributed through the RIG Exploit Kit. Dubbed ‘Karius’, the Trojan aims to carry out web injects to add\r\nadditional fields into a bank’s legitimate login page and send the inputted information to the attacker.\r\nWhile Karius is not yet in full infection mode, initial tests have already been made and our research below shows\r\nthe evolution of how such malware takes place. Our analysis also shows how banking trojans such as Karius are\r\nput together and makes use of code from other well-known bankers such as Ramnit, Vawtrak and TrickBot.\r\nMalware Analysis\r\nKarius works in a rather traditional fashion to other banking malware and consists of three components:\r\ninjector32\\64.exe\r\nproxy32\\64.dll\r\nmod32\\64.dll\r\nThese components essentially work together to deploy webinjects in several browsers, thus intercepting the user’s\r\ncommunication to the internet.\r\nNormally, the content sought in the intercepted traffic would be a specific banking website that the victim has\r\nvisited. This site would then be modified so as to trick the user to enter his credentials which are then sent to the\r\nattacker. However, it seems that this malware is still in a development and possibly in testing stages, which is why\r\nthe webinjects don’t yet target any financial institutions in particular.\r\nThe initial component that will be executed is injector32.exe (or injector64.exe, its equivalent for 64 bit systems).\r\nThis component is responsible for several actions, namely:\r\nModifying several registry keys, for the purpose of disabling protection mechanisms in Internet\r\nExplorer.These include:\r\n1. HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\2500 = DWORD:3\r\n2. HKCU \\Software\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth = DWORD:0\r\n3. HKCU \\Software\\Microsoft\\Internet Explorer\\Main\\NoProtectedModeBanner = DWORD:1\r\nCopying itself to the startup directory with the name TEMP APPLICATION.lnk as a means of persistence,\r\nas well as creating a duplicate under the name %USERPROFILE%/music/temp.exe.\r\nhttps://research.checkpoint.com/2018/banking-trojans-development/\r\nPage 1 of 8\n\nWriting a batch script to disk which will delete the original file.\r\nContacting the Command and Control (C\u0026C) server for registering the bot using a message with the\r\nfollowing json structure:\r\n{“id”: “\u003ccomputer_name_hash\u003e\u003cdigital_product_id_hash\u003e”\r\n“action”: “register”\r\n“os”: “\u003cos_version\u003e”\r\n“lang”: “\u003clang\u003e”\r\n“integrity”: “None”\r\n“admin”: “admin”\r\n“group”: “group”\r\n}\r\nAfter contacting the C\u0026C server, the malware would then send a message with a similar id and a “ping” action,\r\nwhich is then responded to by the server with one of two commands –\r\nUpdate – sends a binary with a new version of the malware.\r\nConfig – issues a webinjects configuration payload, saved to a file named “temp.bin”.\r\nAll the traffic to the C\u0026C server will then be encrypted with RC4 using a key hardcoded in a configuration struct\r\nthat resides within the .cfg section of this module’s binary.\r\ncfg section:\r\nhttps://research.checkpoint.com/2018/banking-trojans-development/\r\nPage 2 of 8\n\nFigure 1: The .cfg section of the configuration module’s library.\r\n– Creating the named pipe “\\\\.\\pipe\\form” in order to communicate with other modules, which in turn use it to\r\nforward stolen credentials to it. This data will then be sent to the C\u0026C periodically (upon an interval predefined in\r\nthe internal configuration section), using the following message format:\r\n{“id”: “\u003ccomputer_name_hash\u003e\u003cdigital_product_id_hash\u003e”\r\n“action”: “report”\r\n“url”: “\u003curl_of_stolen_credentials\u003e”\r\n“browser”: “UNK”\r\n“Data”: “\u003cdata_of_stolen_credentials\u003e”\r\n}\r\n– Decompressing the subsequent components (proxy32.dll and proxy64.dll) using aPLib and injecting the one\r\ncorresponding to the system’s architecture to the “explorer.exe” process.\r\nThe dll component injected to “explorer.exe” is used to hook the CreateProcessInternalW API function, which is\r\ninvoked upon initiation of processes under Explorer. The hook function, in this case, will look for one of several\r\nbrowsers and would inject it with yet another decompressed DLL named mod32.dll (or mod64.dll for 64 bit\r\nsystems). These browsers include: Internet Explorer, Chrome, Firefox and Edge.\r\nThis final DLL payload, which will execute in the context of one or more of the aforementioned browsers, is the\r\ncomponent that will implement the webinjects mechanism by applying some hooks, as done by many other\r\nbanking malwares. The hooked functions can be found below.\r\nhttps://research.checkpoint.com/2018/banking-trojans-development/\r\nPage 3 of 8\n\nFigure 2: Table of hooked functions per browser.\r\nAs mentioned previously, the webinjects reside within the “temp.bin” file, and have the following format:\r\nhost: \u003curl_of_host\u003e\r\npath: \u003cpath_in_url\u003e\r\ndata:\r\ninject: \u003cdata_to_inject\u003e\r\nbefore: \u003cwhat is before the injected data\u003e\r\nafter: \u003cwhat is after the injected data\u003e\r\nThe credentials stolen by applying the webinjects will then be sent using the named pipe to the injector\r\ncomponent, and subsequently forwarded to the C\u0026C.\r\nA figure that illustrates all aforementioned actions can be seen below:\r\nFigure 3: Diagram of Karius’ processes.\r\nSimilarity to Known Banking Trojans\r\nhttps://research.checkpoint.com/2018/banking-trojans-development/\r\nPage 4 of 8\n\nAs seen in the previous section, the malware’s internal workings are quite standard for the Banking Trojans.\r\nWhat’s more interesting, though, is the fact that major parts of the malware are heavily based on well-known\r\nbankers that can be found in the wild. For instance, the usage of aPLib compression to store both 32 and 64 bit\r\nmodules one after the other in the file was used previously in Vawtrak.\r\nAlso, in one of the malware’s inspected samples we were able to track hardcoded webinjects, which to our\r\nsurprise were used previously by Ramnit.\r\nWebinjects similarity:\r\nFigure 4: Comparison of code used in Karius and Ramnit’s webinjects.\r\nBut probably the most significant resemblance we were able to spot is to the widely distributed TrickBot banker.\r\nIn particular, we saw a very high similarity in binary code between the two malwares. The functionalities of\r\ninjection and hooking methods showed very similar code elements.\r\nIt might be not so surprising for the injection functionality, since both used the reflective loading injection method,\r\nwhich has an online open source implementation, found here.\r\nHowever, it is not clear whether the inline hooking implementation was taken from any particular known source\r\ncode.\r\nhttps://research.checkpoint.com/2018/banking-trojans-development/\r\nPage 5 of 8\n\nFigure 5: The Hooking_Method function.\r\nFigure 6: The InternetWriteFile_Hook_Function.\r\nIt’s interesting to note that in one of the similar hooking functions observed in Karius, we could spot a call to the\r\nOutputDebugString function, which contains a string that hints on the function’s name. This may suggest that the\r\nauthor of Karius was in possession of the source code used to implement the hooking mechanism of TrickBot, and\r\nadded this line for debugging purposes. It also hints that this malware is still undergoing some development and\r\nthat more versions of it are yet to be released.\r\nHttpSendRequestA_Hook_Function\r\nhttps://research.checkpoint.com/2018/banking-trojans-development/\r\nPage 6 of 8\n\nFigure 7: The HttpSendRequestA_Hook function.\r\nAn Evolving Malware\r\nThroughout the research of this malware, we observed two main versions which outline a certain evolution in its\r\ndevelopment. The first version seemed to be very buggy, and possibly used only for testing purposes, while the\r\nsecond, while more functional, is still not fully complete. This can be seen in the presence of various\r\n“placeholder” strings such as the one below:\r\nFigure 8: An incomplete “placeholder” string.\r\nThe major changes between the two versions are outlined in the following table:\r\nFigure 9: Table of development changes between the two versions of the malware.\r\nIOCs:\r\nMd5 hashes:\r\n728911a915d9ec3b6defa430d24bc0d5\r\n857430b8c9dc78ce4eabbe57cb3ae134\r\nhttps://research.checkpoint.com/2018/banking-trojans-development/\r\nPage 7 of 8\n\nDomains:\r\nhttp://proxyservice.site/updates/gateway.php\r\nSource: https://research.checkpoint.com/2018/banking-trojans-development/\r\nhttps://research.checkpoint.com/2018/banking-trojans-development/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://research.checkpoint.com/2018/banking-trojans-development/" ], "report_names": [ "banking-trojans-development" ], "threat_actors": [], "ts_created_at": 1776046987, "ts_updated_at": 1776046993, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ec1096e30670e420a81f50742f2d2602eb9a121e.pdf", "text": "https://archive.orkl.eu/ec1096e30670e420a81f50742f2d2602eb9a121e.txt", "img": "https://archive.orkl.eu/ec1096e30670e420a81f50742f2d2602eb9a121e.jpg" } }