Threat Intelligence

Malware Threat Assessment Template for Financial Institutions

Dan Virgillito
November 14, 2014 by
Dan Virgillito

Financial institutions conducting online brokerage, alternative payments, Internet banking and other similar activities have been facing a growing number of malware-based attacks. According to Wontok SafeCentral, modern malware ranging from botnets to keyloggers to ransomware to spyware is capable of emptying bank accounts in seconds.

The institutions responsible for monetary transactions can ill afford to earn a reputation as anything other than protectors of customer privacy. However, malware attacks continue to evolve in sophistication as cyber criminals continuously develop new methods to circumvent basic security implementations.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

The following are the top malware threats to financial institutions:

Keyloggers: Record everything you type on a computer in order to steal your passwords, log-in credentials, and other sensitive information, and transfer it to the source of the program. This malware has been used to target the networks of financial institutions and perform unauthorized wire transfers.

Trojan: This is the most dangerous form of malware, written with the aim of discovering your financial information, and infiltrating your system resources. A banking Trojan was used earlier in the year to target customers of major banks around the globe.

Botnet: Bots enable attackers to take control over affected PCs. And they are a part of a network of infected PCs (botnet), which are made up of victim machines stretched across the globe. The most popular type is the Zeus Gameover botnet: it is estimated to have infected 1 million users and stolen information which might be useful at retrieving bank accounts.

Ransomware: This malware restricts access to a network/PC/account and locks you out until you pay a sum of money or give access to certain data. Cryptolocker is an example of ransomware that targets employees and customers of financial institutions through phishing attacks.

Backdoor: It opens a 'backdoor' onto a machine, providing a network connection for cyber criminals to enter or for spam to be sent. Hackers have used the backdoor malware to steal millions from ATM machines lacking adequate security implementations.

Threat assessment

The problem occurs when financial institutions conflate all malware as one threat for the purpose of threat assessment. That is a mistake as individual malware types should be assessed as a separate entity. Also, there are some questions that need to be addressed during the course of assessment, such as:

  • What is the potential harm to customers, partners and other parties if your network/system is infected with a particular malware?
  • How can you detect the infiltration?
  • If you are unable to address the infection, is there someone else to do the job?
  • If you are unable to detect the malware attack, when/how will you become aware of its consequences?
  • Is there a stage of the breach where you might detect the attack before it causes damage?

Answering these questions requires an individual application profile for each malware threat and how that malware could be addressed. Here is a sample risk assessment profile for Cryptolocker.

Threat name: Cryptolocker

General description: Cryptolocker prevents victims from accessing their systems and then uses social engineering to convince them that failing to follow instructions will lead to consequences such as facing a prosecution or owning a fine. It also aggressively encrypts files on a victim's PC and returns access to them only after a ransom is paid

Malware type: Ransomware

Data attack classification: Customer-related, sensitive and confidential

Inherent risk: High

Entry points: Malicious emails, malicious websites, third-party software

Affected victims: Customer, employee, manager, administrator, vendor

Revenue generated: Around $3 million

Business impact: Financial loss due to unauthorized money transfer, reputation loss due to breach of customer data, lawsuits and regulations because of account & transaction compromise and non-compliance

Customer impact: Theft of personal information, theft of important credentials, loss of money from personal and business accounts

Mitigation: Reevaluate permissions on network drives, implement software restriction policies (SRPs) to prevent execution, implement Group Policy Objectives (GPOs) to create permissions on registry keys

External identification & mitigation sources: APWG, Trusteer, Massive's attack intelligence, CERT, etc.

Next, it is important to define the potential role of vendors in minimizing malware threat to the financial institution ecosystem. Here is an outline of the potential stakeholders, their activity and control type:

Name: Certificate authorities (CA)

Activity: Certificate authorities are responsible for securing online banking applications when customers enter credentials to login to banking sites. However, CA administration functions have been vulnerable to the issuance of valid EV-SSL and SSL certifications to adversaries. The service offerings need to evolve to prevent malicious threats.

Control type: Prevent

Name: Anti-malware solution providers

Activity: Improve detection capabilities and make efforts to create advanced detection metrics. They should also improve fail in safe mode, and provide solutions with better default security settings. Solution providers should also do a better job at:

  • Managing online security threats
  • Reducing the cost of fraudulent transactions
  • Protecting customer data from insecure transactions

Control type: Prevent and recover

Name: Application providers or application stores

Activity: Provide software for digital devices used to access banking accounts, including tablets, laptops and smartphones. They should enhance due diligence to ensure their software doesn't include malicious code.

Control type: Prevent

With the risk assessment profile and potential role of vendors in place, you can develop a fairly good picture of the behavior of a particular malware, and then work with internal and external IT security departments to define the best course of mitigation.

Financial institutions should also gather threat data by:

  • Examining the malicious files on a system/network/device
  • Examining the volatile data
  • Examining the programs executed on the infected system/network/device
  • Examining the host-based logs
  • Examining suspected files and specific artifacts
  • Performing a malware search and a timeline analysis

Researching/documenting the threat further requires creating your own virtual machines and manually infecting systems to familiarize yourself with the threats associated with malware execution. This would require malware samples so that you can review the technical information to see the modifications made by the malware.

The aim is to search for a malware and assess how it can infect a system, rather than reversing the malware to see its functionality. The virtual machine can be used to execute malicious files, software as well as websites that serve malware. The final step of the approach is to analyze and monitor the URLs and program execution artifacts.

Changing exposures of malware

Most of the new malware exposures to financial institutions are a consequence of an extremely complex and evolving threat environment.

The sale of underground toolkits at a low-cost has also enhanced the nature and number of malware-based attacks; with financial institutions conducting monetary transactions on the highest scale, the industry continues to be a lucrative target for cyber gangs.

Third party vendors and partner businesses are potential contributors to increased exposure and should be included in the template for malware threat assessment. For the occasions where conventional threat assessment fails to recognize malware, following a security template and updating it frequently can help institutions look for signals the malware may be executing.

For instance, is the malware doing something strange that standard programs rarely do? This can be combined with conventional analysis about the execution. A document that looked less risky initially might behave in ways that contribute to threat and signal the concerned institution to block it immediately.

Even though massive amounts of data are required to stay one step ahead of malware-breach practices, following a threat assessment template can help in securing vulnerable endpoints. This will also reduce the non-compliance to legal regulations set by the Security Exchange Commission (SEC), the Foreign Corrupt Practices Act (FCPA) and other similar governing bodies.


Malware threat assessment is a higher priority for most companies today than it was a few years ago. However, not many industries are seeing the impact of the observation more profoundly than the financial sector. As became evident from some of the outcomes of new malware breaches, failure to assess the risk from an enterprise-wide perspective can result in negative consequences for the industry and the economy as a whole.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

The end user will remain the most common weakness during a malware attack. Institutions, as a result, need to be open about risks and continue to access the security issues they encounter, as well as frequently update the threat assessment template they're following. As more users turn to Internet banking to replace conventional, over-the-phone, and in-branch-banking, banks must ensure they are assessing threats on a regular basis and implementing adequate protections to ensure safety of users. Focusing on risk assessment is not only a way to avoid breaches from happening, but also can be a source to gain a competitive edge.

Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.