case study on trojan horse virus

Trojan Horse Examples (2024): The 6 Worst Attacks Ever

By Tibor Moes / Updated: June 2024

In the ever-evolving landscape of cybersecurity, Trojan horse attacks represent a significant and persistent threat to individuals and organizations alike.

This article delves into the history of six of the most devastating Trojan horse attacks, offering insights into their mechanisms, impacts, and the lessons learned from these cyber incursions.

• ILOVEYOU (2000): This worm masqueraded as a love letter, rapidly infecting millions of computers worldwide. It infected over ten million Windows PCs starting from May 5, 2000.
• Zeus (2009): A powerful Trojan that targeted financial information, Zeus compromised thousands of FTP accounts including those of major companies. Over 74,000 FTP accounts on high-profile sites were compromised by June 2009.
• CryptoLocker (2013): This ransomware encrypted users’ files and demanded payment for their release. Between 200,000 to 250,000 computers were infected, with operators extorting around $3 million.
• Emotet (2014): Initially a banking Trojan, Emotet evolved to deliver other malware and caused significant financial damage. It has cost governments up to $1 million per incident to remediate.
• Dyre (2014): Dyre targeted banking credentials, showing a marked increase in infection rates and financial theft. Infections rose from 500 to nearly 3,500 instances, with over $1 million stolen from enterprises.
• BlackEnergy (2015): Initially a simple Trojan, BlackEnergy evolved to disrupt critical infrastructure, notably in Ukraine. It left about 1.4 million people without electricity for several hours in Ukraine.

Don’t become a victim of a trojan horse. Protect your devices with the best antivirus software and your privacy with the best VPN service .

Trojan Horse Examples

1. iloveyou (2000).

In the early days of May 2000, a seemingly harmless email began circulating with the subject line “I LOVE YOU.” What appeared as a digital note of affection was, in fact, one of the most virulent computer worms of its time. According to Wired.com, the ILOVEYOU worm rapidly infected over ten million Windows personal computers globally , beginning its spread on May 5, 2000.

The worm exploited human curiosity and trust, using a simple email attachment to infiltrate and replicate across networks. Its reach was not only vast but also alarmingly swift, showcasing the vulnerabilities in personal and corporate cybersecurity practices at the dawn of the 21st century.

The ILOVEYOU incident serves as a stark reminder of how digital trust can be exploited and the profound impact of cyber threats on a global scale.

2. Zeus (2009)

Fast forward to 2009, and the cybersecurity world witnessed the emergence of Zeus – a Trojan horse that epitomized the growing sophistication of cybercriminal tactics.

As reported by TheTechHerald.com, in June 2009, it was discovered that Zeus had compromised over 74,000 FTP accounts , infiltrating the online defenses of high-profile companies such as Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek.

This malware was not just a tool for data theft; it was a full-fledged operation that targeted the very foundation of corporate and financial security. The Zeus Trojan showcased the escalating arms race in cybersecurity, where the stakes were not just personal information but also the integrity of critical corporate and governmental infrastructures.

3. CryptoLocker (2013)

In 2013, the digital world was introduced to a new form of cyber terror: ransomware. CryptoLocker, a formidable player in this domain, emerged as a ransomware Trojan that held personal files hostage for a ransom.

According to BBC.com, by mid-December of that year, between 200,000 to 250,000 computers were infected by CryptoLocker. The Trojan demanded payment in Bitcoin, exploiting the anonymity of digital currency to carry out its extortion. The operators behind CryptoLocker demonstrated a chilling efficiency, managing to extort an estimated total of around $3 million from victims.

This attack not only highlighted the vulnerability of personal data but also underscored the growing threat of ransomware in the digital age, where data encryption could be weaponized for financial gain.

4. Emotet (2014)

The following year, in 2014, the cybersecurity landscape faced another formidable challenge with the advent of Emotet. Initially a banking Trojan, Emotet evolved into a sophisticated malware delivery service.

Heimdalsecurity.com reported that Emotet infections have cost state, local, tribal, and territorial (SLTT) governments up to $1 million per incident to remediate .

This malware was particularly notorious for its ability to evade standard antivirus detection, making it a persistent threat. Emotet’s impact extended beyond financial losses; it compromised the security of government systems, posing a threat to public sector operations.

The case of Emotet is a stark reminder of the continuous evolution of cyber threats and the escalating costs associated with combating these sophisticated attacks.

5. Dyre (2014)

In the latter part of 2014, the cybersecurity community faced a significant surge in the activity of Dyre, a notorious banking Trojan.

SecurityIntelligence.com reported that in October 2014, the IBM Trusteer team observed a dramatic spike in Dyre infections, escalating from 500 instances to nearly 3,500.

This malware specialized in stealing banking credentials, and IBM Security uncovered an active campaign using a variant of Dyre malware that successfully siphoned more than $1 million from targeted enterprise organizations .

Dyre’s rapid proliferation and financial impact underlined the escalating threat posed by banking Trojans. They no longer just targeted individual consumers; they had evolved to launch sophisticated attacks against large organizations, posing a serious threat to corporate financial security.

6. BlackEnergy (2015)

The year 2015 marked a pivotal moment in cyber warfare with the BlackEnergy attack. According to WeLiveSecurity.com, a significant incident occurred in Ukraine, where approximately 1.4 million people were plunged into darkness for several hours due to a cyberattack.

BlackEnergy, originally designed as a relatively simple Trojan, had evolved into a sophisticated tool capable of carrying out large-scale infrastructure attacks. This incident in Ukraine was particularly alarming as it demonstrated the potential of cyberattacks to cross over from the digital realm into causing real-world, physical disruptions.

The BlackEnergy attack not only disrupted daily life for millions but also signified a new era in cyber threats, where critical infrastructure became a prime target.

As we have seen through these examples, Trojan horse attacks pose a significant and evolving threat in the digital landscape. From the widespread infection caused by ILOVEYOU to the sophisticated financial and infrastructural disruptions by Zeus, CryptoLocker, Emotet, Dyre, and BlackEnergy, the impact of these attacks is both far-reaching and deeply concerning. These incidents underscore the importance of vigilance and proactive measures in cybersecurity.

In light of these threats, the importance of robust antivirus solutions, especially for Windows 11 users, cannot be overstated. Brands like Norton , Avast , TotalAV , Bitdefender , McAfee , Panda , and Avira offer comprehensive protection against such malware.

Investing in these antivirus programs provides not just real-time protection against known threats, but also employs advanced technologies to detect and neutralize emerging threats. With cybercriminals constantly evolving their tactics, having a reliable antivirus is an essential line of defense for safeguarding personal and organizational data.

• Web.archive.org
• Thetechherald.com
• Heimdalsecurity.com
• Securityintelligence.com
• Welivesecurity.com

Author: Tibor Moes

Founder & Chief Editor at SoftwareLab

Tibor has tested 39 antivirus programs and 30 VPN services , and holds a Cybersecurity Graduate Certificate from Stanford University.

He uses Norton to protect his devices, CyberGhost for his privacy, and Dashlane for his passwords.

You can find him on LinkedIn or contact him here .

Antivirus Comparisons

Best Antivirus for Windows 11 Best Antivirus for Mac Best Antivirus for Android Best Antivirus for iOS

Antivirus Reviews

Norton 360 Deluxe Bitdefender Total Security TotalAV Antivirus McAfee Total Protection

11 real and famous cases of malware attacks

• Updated at June 4, 2021
• Blog , Threat Research

Many cases of famous hacker attacks use malware at some point. For example, first, the cybercriminal can send you a phishing email . No attachment. No links. Text only. After he gains your trust , in a second moment, he can send you a malicious attachment , that is, malware disguised as a legitimate file.

Malware  is a malicious software designed to infect computers and other devices. The intent behind the infection varies. Why? Because the cybercriminal can use malware to make money, to steal secret information that can give strategic advantages, to prevent a business from running or even just to have fun.

Yes, there are hackers who act for pleasure.

In fact, malware is a broad term. It’s like a category. Within this category are different types of threats, such as  virus ,  worm ,  trojan , and  ransomware .

To fight malware delivered via email, here at Gatefy we offer a  secure email gateway solution  and an  anti-fraud solution based on DMARC . You can request a demo or more information .

To get an idea, according to the FBI , damages caused by ransomware amounted to more than USD 29.1 million just in 2020. And one of the most widely used form of malware spreading continues to be via email . As a Verizon report confirmed : 30% of the malware was directly installed by the actor, 23% was sent there by email and 20% was dropped from a web application.

The cases listed below show how malware attacks can work and give you a glimpse of the harm they cause to businesses and individuals.

In this post, we’ll cover the following malware cases:

Table of Contents

Check out 11 real cases of malware attacks

1. covidlock, ransomware, 2020.

Fear in relation to the Coronavirus (COVID-19) has been widely exploited by cybercriminals. CovidLock ransomware is an example. This type of ransomware infects victims via malicious files promising to offer more information about the disease.

The problem is that, once installed, CovidLock encrypts data from Android devices and denies data access to victims. To be granted access, you must pay a ransom of USD 100 per device.

2. LockerGoga, ransomware, 2019

LockerGoga is a ransomware that hit the news in 2019 for infecting large corporations in the world, such as Altran Technologies and Hydro. It’s estimated that it caused millions of dollars in damage in advanced and targeted attacks.

LockerGoga infections involve malicious emails , phishing scams and also credentials theft. LockerGoga is considered a very dangerous threat because it completely blocks victims’ access to the system.

3. Emotet, trojan, 2018

Emotet is a trojan that became famous in 2018 after the U.S. Department of Homeland Security defined it as one of the most dangerous and destructive malware. The reason for so much attention is that Emotet is widely used in cases of financial information theft, such as bank logins and cryptocurrencies.

The main vectors for Emotet’s spread are malicious emails in the form of spam and phishing campaigns . 2 striking examples are the case of the Chilean bank Consorcio, with damages of USD 2 million, and the case of the city of Allentown, Pennsylvania, with losses of USD 1 million.

4. WannaCry, ransomware, 2017

One of the worst ransomware attacks in history goes by the name of WannaCry , introduced via phishing emails in 2017. The threat exploits a vulnerability in Windows.

It’s estimated that more than 200,000 people have been reached worldwide by WannaCry, including hospitals, universities and large companies, such as FedEx, Telefonica, Nissan and Renault. The losses caused by WannaCry exceed USD 4 billion.

By the way, have you seen our article about the 7 real and famous cases of ransomware attacks ?

5. Petya, ransomware, 2016

Unlike most ransomware , Petya acts by blocking the machine’s entire operating system. We mean, Windows system. To release it, the victim has to pay a ransom.

It’s estimated that the losses involving Petya and its more new and destructive variations amount to USD 10 billion since it was released in 2016. Among the victims are banks, airports and oil and shipping companies from different parts of the world.

6. CryptoLocker, ransomware, 2013

The CryptoLocker is one of the most famous ransomware in history because, when it was released in 2013, it used a very large encryption key, which made the experts’ work difficult. It’s believed that it has caused more than USD 3 million in damage, infecting more than 200,000 Windows systems.

This type of ransomware was mainly distributed via emails, through malicious files that looked like PDF files , but, obviously, weren’t.

7. Stuxnet, worm, 2010

The Stuxnet deserves special mention on this list for being used in a political attack, in 2010, on Iran’s nuclear program and for exploiting numerous Windows  zero-day vulnerabilities . This super-sophisticated worm has the ability to infect devices via USB drives, so there is no need for an internet connection.

Once installed, the malware is responsible for taking control of the system. It’s believed that it has been developed at the behest of some government. Read: USA and Israel.

8. Zeus, trojan, 2007

Zeus is a trojan distributed through malicious files hidden in emails and fake websites, in cases involving phishing . It’s well known for propagating quickly and for copying keystrokes, which led it to be widely used in cases of credential and passwords theft, such as email accounts and bank accounts.

The Zeus attacks hit major companies such as Amazon, Bank of America and Cisco. The damage caused by Zeus and its variations is estimated at more than USD 100 million since it was created in 2007.

9. MyDoom, worm, 2004

In 2004, the MyDoom worm became known and famous for trying to hit major technology companies, such as Google and Microsoft. It used to be spread by email using attention-grabbing subjects, such as “Error”, “Test” and “Mail Delivery System”.

MyDoom was used for  DDoS  attacks and as a backdoor to allow remote control. The losses are estimated, according to reports, in millions of dollars.

10. ILOVEYOU, worm, 2000

The ILOVEYOU worm was used to disguise itself as a love letter, received via email. Reports say that it infected more than 45 million people in the 2000s, causing more than USD 15 billion in damages.

ILOVEYOU is also considered as one of the first cases of social engineering used in malware attacks. Once executed, it had the ability to self-replicate using the victim’s email.

Also see 10 real and famous cases of social engineering .

11. Melissa, virus, 1999

The Melissa virus infected thousands of computers worldwide by the end of 1999. The threat was spread by email, using a malicious Word attachment and a catchy subject: “Important Message from (someone’s name)”.

Melissa is considered one of the earliest cases of social engineering in history. The virus had the ability to spread automatically via email. Reports from that time say that it infected many companies and people, causing losses estimated at USD 80 million.

How to fight malware attacks

There are 2 important points or fronts to fight and prevent infections caused by malware.

1. Cybersecurity awareness

The first point is the issue regarding cybersecurity awareness. You need to be aware on the internet. That means: watch out for suspicious websites and emails . And that old tip continues: if you’re not sure what you’re doing, don’t click on the links and don’t open attachments.

2. Technology to fight malware

The second point involves the use of technology . It’s important that you have an anti-malware solution on your computer or device. For end-users, there are several free and good options on the market.

For companies, in addition to this type of solution, we always recommend strengthening the protection of your email network. As already explained, email is the main malware vector. So, an email security solution can rid your business of major headaches.

Here at Gatefy we offer an email gateway solution and a DMARC solution . By the way, you can request a  demo by clicking here  or ask for  more information . Our team of cybersecurity experts will contact you shortly to help.

Latest news

10 real and famous cases of bec (business email compromise), 8 reasons to use dmarc in your business, what is mail server.

Tue, Nov 8, 2022

Q3 2022 Threat Landscape: Insider Threat, The Trojan Horse of 2022

Laurie Iacono

Keith Wojcieszek

George Glass

In Q3 2022, Kroll saw insider threat peak to its highest quarterly level to date, accounting for nearly 35% of all unauthorized access threat incidents. Kroll also observed a number of malware infections via USB this quarter, potentially pointing to wider external factors that may encourage insider threat, such as an increasingly fluid labor market and economic turbulence.

Kroll also saw an increase in general malware as a threat incident type, fueled by the proliferation of information stealing malware such as URSA, Vidar and Raccoon, among others.

With the widespread use of info-stealer malware, it may come as no surprise that Kroll continues to see valid accounts used to gain an initial foothold into a network. This shows that, in many cases, threat actors are using legitimate credentials to access and authenticate into systems.

Q3 2022 Threat Timeline

• July 8 – LockBit 3.0 Unveiled : LockBit 3.0, the first ransomware bug bounty program , is released. Many new extortion tactics are added to its repertoire, and bounty payments for improvements or vulnerabilities are advertised.
• July 28 – New MFA Bypass Phishing Method : A new phishing tactic that exploits the Microsoft Edge WebView2 control is released . Threat actors exploit WebView2 in order to steal cookies and credentials after a user has successfully logged in, bypassing MFA  and gaining full access.
• August 2 – Increase in Vishing and Smishing Attacks : An increase in phishing attacks was observed, specifically vishing and smishing attacks  in which threat actors attempt to gain valuable personal information for financial gain through phone calls, voice altering software, text messages and other tools.
• August 24 – WordPress Sites Hacked : Hacked WordPress sites are changed to display fake Cloudflare DDoS protection pages .
• September 6 – Vice Society Ransomware Attacks on School Districts : U.S. school districts are increasingly targeted by the Vice Society ransomware group. The FBI, CISA and the MS-ISAC advise that attacks against the education sector could potentially increase during the 2022 to 2023 school year.
• September 30 – Microsoft ProxyNotShell Vulnerability : At the end of Q3, a new exploit now known as ProxyNotShell is released based on two vulnerabilities, CVE-2022-41040 and CVE-2022-41082. The new exploit uses a similar chained attack to that in the 2021 ProxyShell exploit , which we covered in the Q4 Quarterly Threat Landscape Report 2021  and Q1 Quarterly Threat Landscape Report 2022  and continue to see used in attacks.

Insider Threats and Rapidly Evolving Market Conditions

Dubbed the “great resignation” by many media outlets, 2021 and early 2022 saw the rise of employees seeking new opportunities in the wake of the COVID-19 pandemic and the shift to remote work. This has been encouraged by the growth in supply of potential employment, with the Organization for Economic Co-operation and Development (OECD) registering an overall net gain of more than 9 million jobs in June 2022 for OECD countries, compared to pre-pandemic levels.

While always a challenge, the risk of insider threat is particularly high during the employee termination process. Disgruntled employees may seek to steal data or company secrets to publicly undermine an organization, while other employees may seek to move over data–such as contacts lists and other proprietary documents–that they can leverage at their new organizations.

Case Study: In the Firing Line for Data Theft

Many of the cases Kroll observed in Q3 coincided with the employee termination process. In one example, an employee attempted to steal gigabytes worth of data by copying it over to cloud storage networks. In this instance, the company followed a standard protocol that included disabling the user’s accounts and deleting data from cloud storage accounts accessible to them. Months after the employee left for a competitor, the organization began to suspect that the individual was using company data at their new position in order to enhance sales efforts. A review of the individual’s personal laptop identified that they had created copies of company data on multiple cloud storage accounts and personal data storage devices when they still had access to the corporate network. A review of the individual’s web browser history also identified multiple searches related to personal cloud storage and deleting log files.

Through forensic analysis, Kroll was able to create a timeline of activity showing the movement of confidential files across multiple personal emails, cloud storage accounts and physical devices. Activity largely coincided with suspicious search terms, such as deleting log files, indicating that the user knew the activity was wrong and made a deliberate effort to cover their tracks.

  “Insider threat is a unique problem in cybersecurity,” says Kroll Associate Managing Director Jaycee Roth. “Unlike the usual circumstances in cyber security, where you are defending the network from (at least in the initial attack stage) external attackers, in an insider threat situation, you are defending the business from someone on the inside. This can be particularly difficult, as the user often won’t raise any red flags and could have a high level of permissions and access rights. ” “ The only way you may be able to identify the threat in flight is through suspicious behavior, such as detecting mass downloads or uploads. This therefore makes file and folder access auditing—in addition to logging on-file transfer services—particularly important for tracking, especially within regulated industries or with servers containing sensitive data. Failure to monitor closely could mean that the real damage has already been done by the time you recognize an incident has occurred.”

Threat Incidents: Malware Jumps, Insider Threat Soars

With email compromise plateauing at 30% and the ratio of overall ransomware attacks declining in the third quarter, Kroll observed modest increases in other threat incident types, such as unauthorized access (27%), web compromise (7%) and malware (5%).

After declining in Q2, web compromise saw a small uptick in Q3. Kroll’s experts note that web compromises impacting small- to medium-sized e-commerce websites have been on the rise since the onset of the COVID-19 pandemic, when many brick-and-mortar stores had to either partially or completely move their sales efforts to e-commerce platforms. In many of these instances, cyber security may have taken a backseat as merchants worked to maintain sales amid lockdowns. Although there is not one singular vulnerability related to this activity, Kroll has frequently observed actors taking advantage of e-commerce sites which have little to no capability to identify malicious activity and a lack of robust back-ups or patch management systems. In extreme cases where the actor has been on the system for a long time, many businesses are having to rebuild their sites from scratch to ensure security mechanisms and proper logging are in place.

Malware (excluding ransomware) saw a jump from 1% in Q2 to 5% of cases in Q3. This increase is likely linked to the proliferation of information stealing malware such as Redline, Raccoon, Vidar and URSA.  These types of malware, also known as “info-stealers,” are typically spread through phishing campaigns. Once a victim’s machine is infected, the malware is able to target and steal a variety of data, including browser histories, device fingerprints, login credentials and financial data. Information from this malware is often sold on credential markets where a user may buy a listing that gives them access from a compromised computer from which they can then log an attack. It is also widely believed that information gained through this type of malware helps to fuel the activities of initial access brokers  operating in the ransomware ecosphere by providing legitimate credentials for access into corporate networks.

Threat Actors Targeting Credentials for Initial Access

In Q3, Kroll observed an uptick in phishing and the use of valid accounts as a vector for initial access. Kroll saw a rise in phishing lures being sent via text message—known as “smishing”—where threat actors sent the malicious payload via a container file instead of an Office document (e.g., .ISO instead of .docx or .word) and instances where, in lieu of a link, cybercriminals used social engineering to dupe victims into calling a phone number from which a fraudulent call center would walk them through the installation of malware of a remote management tool.

Valid accounts for initial access was another area in which Kroll observed growth from Q2 to Q3, which is where legitimate credentials are used to access an account. Cybercriminals using this method may take over an account in several different ways, such as purchasing credentials from information-stealing malware or credential-stuffing attacks.

Case Study: Credential Stealing Malware via Email

In one case observed by Kroll, a victim received a phishing email prompting the recipient to download banking software from what appeared to be a well-known financial institution. In reality, the user was downloading the banking portal module feature of URSA malware. Once downloaded, the banking portal module is configured to display fake windows any time users attempt to connect to one of the legitimate financial organizations that the malware targets for credential-stealing. To the end-user, the portals appear to be legitimate. Users are prompted to enter information, such as credentials and MFA tokens, which is then stolen by the threat actors and used to access the legitimate banking site. In this instance, while the user interacted with the actor-controlled banking module, threat actors used the credentials to attempt two large transactions, one of which was successfully executed for upward of $100,000.

  “The combination of fake windows, portals and credential-stealing malware makes for a difficult scam for users to identify,” says Mark Johnson, Senior Vice President at Kroll. “Once they’ve fallen victim to the initial phishing attack, the process looks incredibly similar to the legitimate website, and consequently many will enter their credentials as usual. While it goes without saying that being vigilant to potential phishing attacks will reduce the chances of this type of attack being successful, it’s also important to pay close attention to your accounts so that you can urgently advise your bank of transactions you don’t recognize.”

A Rise in Attacks via USB

In recent months, Kroll has observed an increase in USB-based malware cases targeting clients. Over the past two years, due to the pandemic, the hybrid work model has increased in use among many organizations. This change resulted in many employees starting to utilize their own devices to carry out their day-to-day tasks, using USBs to transfer data from one device to another. In Q3 2022, threat actors and cybercriminal groups were observed sending and dropping USB drives to victims’ offices with the intention of operators gaining access to their devices after the USB drives were plugged in.

Kroll has worked on a number of cases where a USB device was found to be the initial access vector. In one case, an infected USB device contained multiple malware strains which ultimately attempted to install a cryptominer on the user’s system. Fortunately, the endpoint detection and response tool was able to identify the suspicious activity before it could be installed.

Kroll also identified infections from USB devices containing .LNK files which, when clicked, run an MSI installer process to fetch and install RaspberryRobin, a malware strain typically distributed via USB drive.

Ransomware Activity: Variable but Impactful

With Conti officially shutting down their actor-controlled site on June 23, the official release of LockBit 3.0 dominated the ransomware headlines in the first part of Q3. Against this backdrop, Kroll saw its incidence of LockBit cases increase dramatically during the quarter.

By the end of Q3, LockBit, which once recruited insiders  to help them launch malware, found themselves dealing with their own insider leak as the builder for LockBit 3.0 was leaked on GitHub. Likely to have been leaked by a former member dissatisfied with financial proceeds, researchers identified attacks leveraging the builder within two to three days of the leak.

Meanwhile, as students across the globe transitioned back to classes, multiple ransomware groups, including Hive and Vice Society, targeted the education sector with high-profile ransomware attacks. In Q3, the education sector accounted for nearly 10% of all ransomware attacks, second only to manufacturing (12%). Similar to last quarter, CVE/Zero-Day Exploitation (33%) and External Remote Services (22%) were the most likely initial access methods for ransomware attacks.

Sector Analysis: Professional Services Sees Sharp Rise in Attacks

Professional services overtook health care as the most targeted sector overall in Q3, accounting for 21% of all Kroll cases, compared with just 12% in Q2. Common threat incident types impacting professional services included email compromise (40%), unauthorized access (27%) and ransomware (10%).

It is positive to see a reduction in attacks on a number of sectors such as technology and telecoms, hospitality and financial services in comparison with the previous quarter. However, the speed and volume of the changes in attack levels observed quarter to quarter throughout 2022 highlight that organizations in all sectors must ensure they are taking appropriate steps to maintain a robust security posture.

Best Practices for Defending Against Insider and Physical Threats

To protect against and detect insider threats, our experts recommend users to:

• Deploy, manage and monitor Endpoint Detection & Response (EDR)  sensors to all endpoints within the network
• Communicate with physical security operations centers and/or investigation teams to collaborate and share data
• Conduct robust logging and random auditing of active directory or other privileged access credentials
• Disable USBs and other external peripheral devices from company-owned devices
• Use canary or honey tokens throughout corporate infrastructure
• Require employees to use only company-approved devices and systems
• Maintain restrictions for using social networking sites and non-corporate email on company devices
• Employ digital risk protection solutions such as Kroll’s CyberDetectER® DarkWeb  that continuously monitors at-risk data
• Integrate checks of cyber security program elements into your internal audit and compliance programs to assure that they are working as intended
• Watch for early warning indicators that include remote access during off-hours, unexplained exporting of large amounts of data and never taking a vacation
• Restrict physical and electronic access immediately for any departing employees

Recognizing the Threat Within

The number of positive trends in Q3, such as a plateau in email compromise and a decline in ransomware attacks, have been overshadowed by the significant rise in insider threats. Impacts from the pandemic are still being felt as a more fluid labor market and continued high levels of remote or hybrid working influences the threat landscape. Organizations are under greater pressure than ever to assess their potential security threats from multiple perspectives, including both external threats and those hidden within the organization.

Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Kroll Responder

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.

Cloud Security Services

Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivalled incident expertise.

Notification, Call Centers and Monitoring

Kroll’s data breach notification, call centers and monitoring team brings global breach response expertise to efficiently manage regulatory and reputational needs.

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.

Explore insights

Insider threat indicators and detection: when employees turn ransomware accomplices.

by Nicole Sette, Anthony Knutson

How 2024 Elections Influence Business Strategies—Webinar Poll Results

Dora vs. nis2 vs. psd2: navigating the evolving regulatory landscape.

by Tiernan Connolly, Hannah Rossiter

Magecart Attacks: Prevention Tips and Security Best Practices

by Laurie Iacono, Dan Ryan, Michael Carulli

Q3 2024 Cyber Threat Landscape Virtual Briefing

Our quarterly threat landscape reports are fuelled by frontline incident response intel from elite analysts.

Kroll is headquartered in New York with offices around the world.

More About Kroll

• Trending Topics
• Client Stories
• Find an Expert
• Media Inquiry

• Accessibility
• Code of Conduct
• Data Privacy Framework
• Kroll Ethics Hotline
• Modern Slavery Statement
• Privacy Policy

• Skip to primary navigation
• Skip to main content
• Skip to footer

Cisco Umbrella

Enterprise network security

How trojan malware is evolving to survive and evade cybersecurity in 2021

We have met the enemy and they is us. Pogo’s famous maxim applies directly to the threat of trojans in 2021.

Although they are some of the oldest forms of malware, and, in their commodity forms, are seen less often these days, trojans have proved to be durable and adaptable. They avoid detection, embed and intertwine themselves into routine computer operations, and generally have evolved to evade cybersecurity defenses.

In short, trojans are surviving and thriving by becoming part of the cyber furniture.

But that doesn’t mean they don’t have some mean tricks up their sleeves. In fact, trojans have acquired a second life as the workhorses of larger, multi-staged cyberattack chains.

We observed this transformation of trojans in The modern cybersecurity landscape: Scaling for threats in motion , published in November 2020. In that report, we cited Emotet and Ursnif/Gozi as examples of trojans that have evolved on to bigger and badder things. Some of the reasons why attackers reuse malware include:

• Their “Swiss Army knife” abilities allow them to deploy follow-up malware in a Loader-as-a-Service model that does further damage down the cyberattack chain.
• Their highly distributed command-and-control (C2) infrastructure makes takedown much harder to implement.

But there are more tricks that make these the workhorses of unauthorized hackers.

1. Like any productive software, malicious actors are continuously updating trojans using C2 infrastructure

Our first example, Taidoor, is a RAT connected to Chinese government actors as assessed by the United States Federal Bureau of Investigation (FBI) with high confidence. This is one of the oldest trojans still circulating. It first appeared in 2008.

The new version of the RAT consists of two parts: a loader in a DLL form, and a main RAT module that comes as RC4-encrypted binary data. The loader first decrypts the encrypted main RAT module, and then executes its exported start function. Malicious actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation.

We know that this RAT module has variants that trace back to 2011. A blog post published in September 2020 from Reversing Labs documents this and notes:

“(M)alware families require a lot of maintenance and improvement to achieve long-term operability. Even though such continuous upgrading helps malware avoid detection mechanisms, it also results in related malware versions.”

The bottom line is that a great deal of time and investment goes into malicious tools like this and the owners will go to great lengths over time to keep the investment viable.

2. Trojans go to great lengths to hide their tracks and avoid detection.

As antivirus, EDR/XDR, and sandbox capabilities proliferate, attackers are using more sophisticated forms of obfuscation and evasion techniques to protect the tools of their trade. One example we’ve seen recently is a new take on another old RAT, CRAT.

CRAT is a remote access trojan which consists of multiple RAT capabilities, additional plugins, and a variety of detection-evasion techniques. In the past, CRAT has been attributed to the Lazarus Group, the malicious threat actors behind multiple cyber campaigns, including attacks against the entertainment sector.

Apart from the prebuilt RAT capabilities, the malware uses obfuscation and extensive evasion techniques to hide its malicious indicators and employs a highly modular plugin framework to selectively infect targeted endpoints.

Most importantly, it deploys RAT malware to ransack the endpoint, followed by deployment of ransomware to either extort money or burn infrastructure of targeted entities. Over time, CRAT has acquired extensive capabilities through the use of a modular framework. These include screen capture plugins, clipboard monitor plugins, keylogger plugins, and ransomware.

As we mentioned, the CRAT makers have gone to lengths to hide the trojan’s actions. The RAT is highly obfuscated in terms of:

• String Obfuscation: These are used to thwart string-based static malware detection signatures.
• API Resolution: This makes analysis cumbersome for an analyst by hiding API call sequences.
• Runtime Code Patching: This likely evades detection mechanisms that scan process memory to identify malicious strings and code.

Cisco Talos notes that: “The use of multiple obfuscations signifies the attacker’s confidence in selective obfuscation rather than the use of packers as a means of evasion. Many detection systems look for the presence of a packer using techniques such as entropy analysis, Import API analyses, etc. Selective obfuscation of code and strings prevents these systems from detecting the malware solely on the basis of the obfuscations.”

3. Trojans often make use of existing automation and standard internal processes to “blend into the wallpaper” and thereby persist undetected.

In The modern cybersecurity landscape: Scaling for threats in motion , we noted that fileless automation — Macros 4.0, VBA, or PowerShell, for instance — were often being used. Cyberattacks make use of legitimate software automation to hide and then reveal commands. We provided an example of a Macros 4.0 exploit that uses a Binary Interchangeable File Format (BIFF) to hide an embedded Microsoft Excel file.

Here is an example that has shown up recently using other existing automation, Valak, an information stealer and malware loader. Valak relies on scheduled tasks and Windows registry updates to remain persistent on an infected Windows host. The trojan uses Alternate Data Stream (ADS) as a technique to run follow-up malware. The configuration scripts used during the infection process are obfuscated in an attempt to evade detection.

The use of ADS, in particular, represents a serious ongoing threat, as it can easily hide follow-up malware. Furthermore, Valak will likely continue to find easy entry points because of its targeted nature, rich modular architecture and fast development cycles.

4. Finally, trojans are really ramping up their hide-and-go-seek game through the use of steganography (a technique that embeds malicious code into image files).

CardinalRAT is a remote access Trojan (RAT) that has been active since 2015. The latest instance of Cardinal RAT employs obfuscation in the form of steganography; the initial sample is compiled with .NET and contains an embedded bitmap (BMP) file. Upon execution, the malware will read this file, parse out pixel data from the image, and decrypt the result. Cardinal RAT is able to collect system information, act as a reverse proxy, steal passwords, download and execute new files, and capture keystrokes and screenshots.

For more information on how steganography can operate in plain sight, check out Shyam Sundar Ramaswami’s excellent blog post, “ Using entropy to spot the malware hiding in plain sight. ”

Trojans have adapted and evolved over decades now. The capabilities and TTPs they have acquired make them highly useful and, therefore, quite formidable for cyber defenders. They will undoubtedly continue to surprise and challenge us. Never underestimate a well-built trojan.

For more information about the various forms of trojans and how to stop them, check out The modern cybersecurity landscape: Scaling for threats in motion , and review our Interactive Intelligence capabilities .

Suggested Blogs

• Cybersecurity Threat Spotlight: Emotet, RedLine Stealer, and Magnat Backdoor February 3, 2022 5 minute read
• Using DNS-layer security to detect and prevent ransomware attacks August 12, 2021 6 minute read
• The cost of ransomware attacks: Why and how you should protect your data August 10, 2021 4 minute read

Share this blog

Footer Sections

What we make.

• Cloud Security Service
• DNS-Layer Network Security
• Secure Web Gateway
• Security Packages
• Global Cloud Architecture
• Cloud Network Status
• Cloud Network Activity
• OpenDNS is now Umbrella
• Cisco Umbrella Blog
• Cisco Umbrella Live Demo
• Contact Sales

What a lovely hat

Is it made out of tin foil , paper 2022/1720, red team vs. blue team: a real-world hardware trojan detection case study across four modern cmos technology generations.

Verifying the absence of maliciously inserted Trojans in ICs is a crucial task – especially for security-enabled products. Depending on the concrete threat model, different techniques can be applied for this purpose. Assuming that the original IC layout is benign and free of backdoors, the primary security threats are usually identified as the outsourced manufacturing and transportation. To ensure the absence of Trojans in commissioned chips, one straightforward solution is to compare the received semiconductor devices to the design files that were initially submitted to the foundry. Clearly, conducting such a comparison requires advanced laboratory equipment and qualified experts. Nevertheless, the fundamental techniques to detect Trojans which require evident changes to the silicon layout are nowadays well-understood. Despite this, there is a glaring lack of public case studies describing the process in its entirety while making the underlying datasets publicly available. In this work, we aim to improve upon this state of the art by presenting a public and open hardware Trojan detection case study based on four different digital ICs using a Red Team vs. Blue Team approach. Hereby, the Red Team creates small changes acting as surrogates for inserted Trojans in the layouts of 90 nm, 65 nm, 40 nm, and 28 nm ICs. The quest of the Blue Team is to detect all differences between digital layout and manufactured device by means of a GDSII–vs–SEM-image comparison. Can the Blue Team perform this task efficiently? Our results spark optimism for the Trojan seekers and answer common questions about the efficiency of such techniques for relevant IC sizes. Further, they allow to draw conclusions about the impact of technology scaling on the detection performance.

An official website of the United States government

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock Locked padlock icon ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

• Publications
• Account settings
• Advanced Search
• Journal List

The Trojan Horse

Digital Health, Human Rights, and Global Health Governance

Sara L M Davis , PhD

• Author information
• Copyright and License information

Please address correspondence to the author. Email: [email protected] .

Competing interests: None declared.

This is an open access article distributed under the terms of the Creative Commons Attribution Non-Commercial License ( http://creativecommons.org/licenses/by-nc/4.0/ ), which permits unrestricted noncommercial use, distribution, and reproduction.

The COVID-19 pandemic has massively accelerated a global shift toward new digital technologies in health, a trend underway before the crisis. In response to the pandemic, many countries are rapidly scaling up the use of new digital tools and artificial intelligence (AI) for tasks ranging from digital contact tracing, to diagnosis, to health information management, to the prediction of future outbreaks. This shift is taking place with the active support of numerous private actors and public actors. In particular, United Nations (UN) development agencies, such as the World Health Organization (WHO), are actively encouraging this trend through normative guidance and technical cooperation aimed at helping the governments of low- and middle-income countries to assess their needs for digital health, develop national digital health strategies, and scale up digital interventions. 1 At the same time, global health financing agencies, such as the Global Fund to Fight AIDS, TB and Malaria, are financing these technologies through aid to national health programs and through their own public-private partnerships. But in this major effort to spur low- and middle-income countries to race toward the digital future, are UN development agencies adequately considering the risks?

In 2019, UN Special Rapporteur on Extreme Poverty and Human Rights Phillip Alston cautioned that digital technologies could be a “trojan horse” for forces that seek to dismantle and privatize economic and social rights, undermining progress toward the Sustainable Development Goals (SDGs) instead of speeding it. 2 Similarly, in 2020, UN Special Rapporteur on Racism Tendayi Achiume warned that technology is shaped by and frequently worsens existing social inequalities. 3

As this article explores, these and other serious social effects may be accelerated by the rapid scale-up of digital technologies in health. An enabling policy and legal environment that confronts these risks and judiciously plans for them should be a precondition to the scale-up of digital technologies, not an afterthought. As part of its normative and technical advice to governments on digital technologies and AI in health, WHO should be supporting governments in assessing risks and needs and in ensuring that these governments also receive the advice they need to put in place laws, policies, and governance mechanisms to protect and uphold human rights. But to date, the main equity and human rights risk that WHO and other UN development agencies appear to view with real urgency is the need to overcome the “digital divide”—inequitable access to digital technologies and internet connectivity that might undermine access to digital health for impoverished and marginalized populations. In June 2020, the UN Secretary-General warned that closing the digital divide is now “a matter of life or death.” 4 While addressing the digital divide is a legitimate concern in an increasingly digital age, a disproportionate focus on this issue could itself become a trojan horse, a poisoned gift to low- and middle-income countries that legitimizes sweeping access for private actors and state power, while rolling back hard-won human rights protections.

This article explores four risks in particular: the expansion of state surveillance, the risk of malicious targeting, numerous challenges linked to the management of partnerships with powerful private companies, and the risks of scaling up digital interventions for which scientific evidence is weak.

A trojan horse for state surveillance

In 2013, the UN General Assembly adopted a resolution expressing concern over the negative impact of technological surveillance on human rights. 5 A series of reports by UN Special Rapporteur on the Right to Freedom of Opinion and Expression David Kaye highlighted the systematic use of technologies to violate privacy rights. 6 The COVID-19 response has intensified these concerns, as some states expand systems of surveillance that could later be utilized for political purposes.

Function creep has been highlighted as a risk whenever personal data is gathered. 7 The Global Commission on HIV and the Law has particularly warned of the risk of digitally collected biometric information being used by the police. 8 The proposed gathering of biometric data (such as fingerprints or iris scans) for an HIV study sparked specific concerns for marginalized and criminalized groups in Kenya—namely, sex workers, men who have sex with men, transgender people, and people who use drugs—about the use of the data to target individuals for arrest. 9

China offers a cautionary example of this targeted use of biometric data. To manage the coronavirus, the Chinese government requires citizens to download an app from Alibaba, a US$500 billion e-commerce company. The app was developed in partnership with the police and uses a color code to identify those free to travel, at risk, or in need of immediate quarantine, based on data that includes travel history and time spent in proximity to others with the virus. 10 Subway stations use thermal scanners to check for high temperatures, incorporating facial recognition technology. 11

These tools were developed by some of the same companies responsible for developing AI systems used to profile millions of Uighur Muslims. 12 The systems track individual communications, police records, patronage at mosques, and individual movements to identify people considered high risk and place them in forced labor camps.

Beijing now actively exports these surveillance technologies, through its Belt and Road Initiative, to over 60 countries as a form of development assistance. 13 In August 2020, the International Telecommunication Union’s AI for Good Global Summit tweeted a promotional video praising China’s use of artificial intelligence without mentioning related abuses. 14 WHO has also praised China’s response to COVID-19 without mentioning related rights abuses. 15

Some humanitarian aid agencies, such as the International Committee of the Red Cross, have developed policies strictly limiting the gathering and use of biometric data, aiming to prevent state and nonstate actors using data gathered for humanitarian purposes to target people for harm. 16 However, there is currently no agreed approach to the governance and use of biometrics and other sensitive data among normative agencies, such as WHO, and funding agencies, such as the Global Fund, which often provide advice to the same countries. In fact, WHO’s draft digital strategy, approved in 2020, appears to contravene its own data protection policy, according to an analysis by the Third World Network. 17 To promote consistent and rights-respective governance, agencies that normally work together to provide technical support and funding to low- and middle-income countries on health interventions should also work together to establish a common bottom line with regard to privacy, surveillance, and policing in the name of health, including policies on biometrics (potentially using the the International Committee of the Red Cross’s policy as a starting point); and certainly, they should deplore China’s use of technology and AI for abusive policing, not extoll it on social media as a model.

A trojan horse for malicious targeting

Security experts have documented the growing use of AI systems for malicious purposes, including to attack both digital security (through phishing attacks, speech synthesis for impersonation, automated hacking, and data poisoning) and physical security (attacks using autonomous weapons systems, using micro-drones, and subverting cyber-physical systems). 18 UN High Commissioner for Human Rights Michele Bachelet has warned of the abuse of digital technologies to attack individuals and groups. 19 There are now growing cyber attacks against medical facilities which take advantage of hospitals’ growing dependence on digital systems. 20

Even where states do not retain the data, data gathered by digital contact tracing apps could enter the public domain, exposing women, girls, and other vulnerable groups such as LGBTI+ people or stigmatized groups to risks of stalking, extortion, or violence. 21 In South Korea, for example , digital contact tracing app data was used to create a “coronamap” website showing the travel histories of anonymous confirmed patients and identifying them by gender and age; as this information was publicly accessible, individuals were accused of infidelity, fraud, and sex work, and some were the targets of online witch hunts aimed at identifying individuals who had spread the virus. Moreover, individual businesses were associated with COVID-19 transmission after they were identified through contact tracing, and some were targeted for extortion. 22 Privacy International has documented data-exploitative tactics used by some organizations to target women with misinformation about contraception and abortion. 23 The International Committee of the Red Cross and Privacy International have further found that mobile technologies leave digital trails that could be used to target individuals. 24

The growing dependence of health systems on digital technologies and AI thus creates many new vulnerabilities, and as Achiume has noted, due to inequalities that already exist in our societies, the risks are greater for some groups than for others. Incidents such as those documented in South Korea could undermine public trust and make many people reluctant to download or use mobile health apps. This may even have been the case in Singapore, where early downloads of the coronavirus app TraceTogether flatlined at just 20% of the population, leading the government to step back from promoting its use. 25

A trojan horse for the private sector

Public-private partnerships may significantly benefit private actors, raising questions about the appropriate use of taxpayer funds.

Shoshana Zuboff has shown how tech giants such as Facebook and Google have turned data into a source of profit through “surveillance capitalism.” 26 Today, private companies of all sizes race to locate big datasets that they can either sell for profit or use to train and improve algorithms, developing profitable tools. However, the supply of big data in the Global North is not enough to meet the demand, and privacy regulations in Europe and North America are growing stricter, thanks to the European General Data Protection Regulation. Health systems in low-resource settings offer potentially vast, as-yet-untapped reserves of big data in countries with weaker regulatory controls.

Thus, the private sector has a strong interest in partnering with health agencies to roll out new AI-enabled digital health tools in low- and middle-income countries, thereby accessing big data that would be harder to access in countries with stronger regulation, a form of “data colonialism.” 27 Private companies may benefit significantly from partnerships in which there is no immediate obvious financial gain.

These partnerships sometimes include companies with problematic track records. In 2018, the World Food Programme’s five-year partnership with data-mining firm Palantir was criticized by civil society due to Palantir’s history of collaboration with Cambridge Analytica, the Los Angeles and New York Police Departments, Immigration and Customs Enforcement, and US intelligence agencies. 28 One internal Immigration and Customs Enforcement report revealed that Palantir data had been critical in locating and prosecuting the parents of immigrant children. 29 The World Food Programme issued a statement affirming that it would place controls on the use of data by Palantir, but critics continue to raise concerns about the risks for refugees and persons in displacement and to call for clearer standards for humanitarian programs. 30 In response to COVID-19, Palantir is now offering its services to public health agencies to track and analyze the spread of the coronavirus. 31

A trojan horse for unsupervised experimentation

WHO’s draft digital strategy argues that it hopes to “[build] a knowledge base … enabl[ing] testing, validating and benchmarking artificial intelligence solutions and big data analyses across various parameters and settings.” 32 But is it ethical to promote the testing, validating, and benchmarking of unproven health interventions in developing countries?

WHO’s systematic literature reviews of evidence for new digital technologies tend to be consistent in praising the promise these offer, while also highlighting the need for further implementation research. 33 WHO has acknowledged in its guidelines that the quality of evidence for digital health interventions is sometimes weak, yet it nonetheless recommends them. 34

The Committee on Economic, Social and Cultural Rights’ General Comment 14 on the right to health asserts that health facilities, goods, and services must be scientifically and medically appropriate and of good quality. 35 The rapid scale-up of new digital technologies, even those with promising pilots, should be promoted by WHO and financed by publicly funded agencies only if the evidence base is sufficient to justify bringing new tools to scale. Financing unproven digital interventions may leach resources away from interventions for which the evidence base is stronger—for example, harm reduction services, which are proven to work but are chronically underfunded. 36

The digital strategies and guidance currently emerging from global health agencies unfortunately make only minimal reference to these and other human rights concerns. 37 The report from the UN Secretary-General’s high-level panel on digital technologies set the tone with its emphasis on addressing the digital divide, recommending that “by 2030, every adult should have affordable access to digital networks, as well as digitally-enabled financial and health services, as a means to make a substantial contribution to meeting the SDGs.” 38 The panel’s recommendations on human rights protection were far less precise, calling only for “an agencies-wide review of how existing human rights accords and standards apply to new and emerging digital technologies.” 39 A year later, the “agencies-wide review” has yet to be published.

Similarly, WHO’s draft digital strategy and normative guidance to countries focus overwhelmingly on the promise, with little discussion of the risks discussed above. 40 The strategy’s four principles focus on urging countries to commit to digital health, recognizing the need for an integrated strategy, promoting the appropriate use of digital technologies for health, and recognizing the need to address impediments faced by the least-developed countries, and they make little reference to the concerns raised by UN human rights experts. 41 The strategy was approved by the WHO Executive Board in February 2020 and was on the agenda for approval by the World Health Assembly in November 2020. 42

Recognizing that trust and respect for human rights are critical to upholding the right to health and that it is crucial to ensure that the public feels secure in accessing health care, global health agencies such as WHO and the Global Fund should, following the Ruggie Framework, “know and show” that they have done due diligence in order to identify, prevent, and address human rights abuses linked to digital technologies in health. 43 This includes the following:

developing a common position across WHO, the Global Fund, and other UN development agencies on the risks linked to these technologies, and clearly committing to making respect for human rights standards a core principle of all strategies and guidance;

integrating consideration of the above risks into normative guidance by WHO and UNAIDS and developing risk assessment tools for countries and donor agencies;

integrating a robust approach to due diligence into ongoing technical assistance provided to low- and middle-income countries by such agencies as UNDP, UNAIDS, French 5%, and others to enable states to fully assess the track records of companies with which they do business;

developing biometrics and data management policies that share consistent principles across UN health agencies and global health funders: commiting to and recommending the minimal use of biometrics, setting out legitimate uses of health and biometric data, committing to impact assessments for data processing, and setting out constraints on private sector access to health data; and

consulting with civil society—particularly affected communities—to ensure their involvement in the development and rollout of these policies.

Ultimately, states bear the responsibility to protect human rights; but UN development agencies and global health financing agencies, through the evidence-based normative guidance and technical cooperation they provide and the power they exercise as funders of health interventions, have signficant influence on state decisions, and they cannot afford to be naiive. As holders of the purse strings for billions in taxpayer contributions, they must do all they can to ensure that international cooperation does more good than harm. Given that technologies used in health will only continue to evolve, it is critical that respect for human rights move to the center of digital health governance and not be left as an afterthought.

Acknowledgments

The research for this article was supported in part by a consultancy with the Joep Lange Institute. I am grateful for input from Joe Amon, Christoph Benn, Erika Castellanos, Kene Esom, Tabitha Ha, Allan Maleche, Bruna Martinez, Mike Podmore, Tony Sandset, Peter van Rooijen, Akarsh Venkatasubramanian, Nerima Were, Carmel Williams, and two reviewers.

• 1. World Health Organization. Draft global strategy on digital health 2020–2025. Geneva: World Health Organization; 2020. See, for example. [ Google Scholar ]; World Health Organization and International Telecommunication Union. Be healthy, be mobile. Geneva: International Telecommunication Union; 2014. [ Google Scholar ]; Global Fund. “Private sector partners step up the fight to end AIDS, TB and malaria”. (press release, October 9, 2019). Available at https://www.theglobalfund.org/en/news/2019-10-09-private-sector-partners-step-up-the-fight-to-end-aids-tb-and-malaria .
• 2. United Nations General Assembly, Report of the Special Rapporteur on Extreme Poverty and Human Rights, UN Doc. A/74/493 (2019)
• 3. Office of the United Nations High Commissioner for Human Rights. “Emerging digital technologies entrench racial inequality, UN expert warns”. (press release, July 15, 2020) Available at https://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=26101&LangID=E .
• 4. United Nations. “Digital divide ‘a matter of life and death’ amid COVID-19 crisis, SecretaryGeneral warns virtual meeting, stressing universal connectivity key for health, development”. (press release, June 11, 2020) Available at https://www.un.org/press/en/2020/sgsm20118.doc.htm .
• 5. United Nations General Assembly, Res. 68/147, UN Doc. A/RES/68/167 (2014)
• 6. Human Rights Council, Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, UN Doc. A/HRC/41/35 (2019)
• 7. Davis S., Maleche A. “Everyone said no: Key populations and biometrics in Kenya,”. Health and Human Rights Journal. (July 4, 2018)
• 8. Global Commission on HIV and the Law. Risks, rights and health: Supplement. New York: UNDP; 2018. p. 8. [ Google Scholar ]
• 9. KELIN and the Key Populations Consortium. Biometrics, HIV and human rights, a Kenya case study. Nairobi: KELIN; 2018. “Everyone said no”. [ Google Scholar ]
• 10. Holmes A. “China is reportedly making people download an Alibaba-backed app that decides whether they’ll be quarantined for coronavirus,”. Business Insider. (March 2, 2020) Available at https://www.businessinsider.nl/alibaba-coronavirus-chinese-app-quarantine-color-code-2020-3?international=true&r=US .
• 11. Yuan S. “How China is using AI and big data to fight the coronavirus,”. Al Jazeera (March 1, 2020) Available at https://www.aljazeera.com/news/2020/03/china-ai-big-data-combat-coronavirus-outbreak-200301063901951.html .
• 12. Gira Grant M. “The pandemic surveillance state,”. New Republic. (May 8, 2020)
• 13. Feldstein S. The global expansion of AI surveillance. New York: Carnegie Endowment for International Peace; 2019. [ Google Scholar ]
• 14. AI for Good Global Summit (@ITU_AIForGood), “What is #China’s digital #health strategy? #AI #AiforGood” (August 19, 2020) Available at https://twitter.com/ITU_AIForGood/status/1296031059948318720 .
• 15. World Health Organization. Report of the WHO-China joint mission on coronavirus disease (2019) (COVID-19) (February 16–24, 2020). Available at https://www.who.int/docs/default-source/coronaviruse/who-china-joint-mission-on-covid-19-final-report.pdf .
• 16. Hayes B., Marelli M. “Faciliting innovation, ensuring protection: The ICRC biometrics policy,”. Humanitarian Law and Policy. (October 18, 2019) Available at https://blogs.icrc.org/law-and-policy/2019/10/18/innovation-protection-icrc-biometrics-policy .
• 17. Third World Network. “WHO: Draft global strategy on digital health threatens data sovereignty”. (press release, February 6, 2020) Available at https://www.twn.my/title2/health.info/2020/hi200203.htm .
• 18. Brundage M., Avin S., Clark J. The malicious use of artificial intelligence: Forecasting, prevention and mitigation (Future of Humanity Institute, University of Oxford, Centre for the Study of Existential Risk, University of Cambridge, Center for a New American Security, Electronic Frontier Foundation, and Open AI. p. 4. February 2018. Available at https://arxiv.org/pdf/1802.07228.pdf .
• 19. Bachelet M. “Human rights in the digital age”. (speech to the Japan Society, October 17, 2019 Available at https://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=25158&LangID=E .
• 20. Oxford Institute for Ethics. Law and Armed Conflict, Oxford statement on the international law protections against cyber operations targeting the health-care sector. (May 2020) Available at https://law.yale.edu/sites/default/files/documents/pdf/Faculty/circulation_oxfordstatement_internationallawprotections_cyberoperations_healthcare.pdf .
• 21. Davis S. “Contact tracing apps: Extra risks for women and marginalized groups,”. Health and Human Rights Journal. (April 29, 2020)
• 22. Kim N. “‘More scary than coronavirus’, South Korea’s health alerts expose private lives,”. Corona map: COVID-19 status map. Available at https://coronamap.site . Guardian (March 6, 2020) Available at https://www.theguardian.com/world/2020/mar/06/more-scary-than-coronavirus-south-koreas-health-alerts-expose-private-lives .
• 23. Privacy International, A documentation of data exploitation in sexual and reproductive rights. (April 21, 2020) Available at https://privacyinternational.org/long-read/3669/documentation-data-exploitation-sexual-and-reproductive-rights .
• 24. International Committee of the Red Cross. Digital trails could endanger people receiving humanitarian aid, ICRC and Privacy International find. (December 7, 2018) Available at https://www.icrc.org/en/document/digital-trails-could-endanger-people-receiving-humanitarian-aid-icrc-and-privacy .
• 25. Goggin G. “COVID-19 apps in Singapore and Australia: Reimagining healthy nations with digital technology,”. Media International Australia. (August 14, 2020) Available at https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7429912 .
• 26. Zuboff S. The age of surveillance capitalism. London: Profile Books; 2019. [ Google Scholar ]
• 27. Couldry N., Mejias U. “Data colonialism: Rethinking big data’s relationship to the colonial subject,”. Television and New Media. (April 20, 2018)
• 28. Greenleaf G. “Global data privacy laws 2019: 132 national laws and many bills,”. Privacy Laws and Business International Report. 2019;157:14–18. [ Google Scholar ]
• 29. “Palantir played key role in arresting families for deportation, document shows,”. Mijente (press release, May 2, 2019) Available at https://mijente.net/2019/05/palantir-arresting-families .
• 30. Raymond N., Walker McDonald L., Chandran R. “Opinion: The WFP and Palantir controversy should be a wake-up call for humanitarian community,”. Devex (February 14, 2019) Available at https://www.devex.com/news/opinion-the-wfp-and-palantir-controversy-should-be-a-wake-up-call-for-humanitarian-community-94307 .
• 31. Palantir, Responding to COVID-19 (November 15, 2020) Available at https://www.palantir.com/covid19 .
• 32. World Health Organization (2020, see note 1), para. 17.
• 33. Abaza H., Marschollek M. “mHealth application areas and technology combinations: A comparison of literature from high and low/middle income countries,”. Methods of Information in Medicine. 2017;56(7):e105–e122. doi: 10.3414/ME17-05-0003. [ DOI ] [ PMC free article ] [ PubMed ] [ Google Scholar ]; Agbo C., Mahmoud Q., Eklund J. “Blockchain technology in healthcare: A systematic review,”. Healthcare (Basel) 2019;7(2):56. doi: 10.3390/healthcare7020056. [ DOI ] [ PMC free article ] [ PubMed ] [ Google Scholar ]; Bervell B., Al-Samarraie H. “A comparative review of mobile health and electronic health utilization in sub-Saharan African countries,”. Social Science and Medicine. 2019;232:1–16. doi: 10.1016/j.socscimed.2019.04.024. [ DOI ] [ PubMed ] [ Google Scholar ]; Fontaine G., Cossette S., Cadotte M. Maheu et al. “Efficacy of adaptive e-learning for health professionals and students: A systematic review and meta-analysis,”. BMJ Open. 2019;9(8):e025252. doi: 10.1136/bmjopen-2018-025252. [ DOI ] [ PMC free article ] [ PubMed ] [ Google Scholar ]; Henry K., Wilkes A., McDonald C. et al. “A rapid review of eHealth interventions addressing the continuum of HIV care (2007–2017),”. AIDS Behavior. 2018;22(1):43–63. doi: 10.1007/s10461-017-1923-2. [ DOI ] [ PMC free article ] [ PubMed ] [ Google Scholar ]; Kemp C., Velloza J. “Implementation of eHealth interventions across the HIV care cascade: A review of recent research,”. Current HIV/AIDS Reports. 2018;15(6):403–413. doi: 10.1007/s11904-018-0415-y. [ DOI ] [ PMC free article ] [ PubMed ] [ Google Scholar ]; Konduri N., Bastos G., Sawyer K., Reciolino L. “User experience analysis of an eHealth system for tuberculosis in resource-constrained settings: A nine-country comparison,”. International Journal of Medical Informatics. 2017;102:118–129. doi: 10.1016/j.ijmedinf.2017.03.017. [ DOI ] [ PubMed ] [ Google Scholar ]; Rhoads D., Mathison B., Bishop H. et al. “Review of telemicrobiology,”. Archives of Pathology and Laboratory Medicine. 2016;140(4):362–370. doi: 10.5858/arpa.2015-0116-RA. [ DOI ] [ PMC free article ] [ PubMed ] [ Google Scholar ]; Ross J., Stevenson F., Lau R., Murray E. “Factors that influence the implementation of e-health: A systematic review of systematic reviews (an update),”. Implementation Science. 2016;11(1):146. doi: 10.1186/s13012-016-0510-7. [ DOI ] [ PMC free article ] [ PubMed ] [ Google Scholar ]
• 34. World Health Organization. Recommendations on digital interventions for health sytems strengthening. 2019. [ PubMed ]
• 35. Committee on Economic. Social and Cultural Rights, General Comment No. 14, The Right to the Highest Attainable Standard of Health, UN Doc. E/C.12/2000/4 (2000), para. 12(c)
• 36. UNAIDS. Health, rights and drugs: Harm reduction, decriminalization and zero discrimination for people who use drugs. Geneva: UNAIDS; 2019. [ Google Scholar ]
• 37. United Nations Development Programme. Future forward: UNDP digital strategy. New York: United Nations Development Programme; 2020. See, for example, World Health Organization (2020, see note 1) [ Google Scholar ]; World Health Organization. Digital health for the end TB strategy: Agenda for action. Geneva: World Health Organization; 2015. [ Google Scholar ]; USAID. USAID’s digital strategy. Washington, DC: USAID; 2020. By contrast, USAID’s digital strategy does address human rights risks; see. [ Google Scholar ]
• 38. UN Secretary-General’s high-level Panel on Digital Cooperation. The age of digital interdependence. New York: United Nations; 2019. p. 4. [ Google Scholar ]
• 39. Ibid., p. 30.
• 40. World Health Organization. Recommendations on digital interventions for health system strengthening. classification of digital health interventions v1.0, WHO/RHR/18.06 (2018); World Health Organization, Digital technologies: Shaping the future of primary health care, WHO/HIS/SDS/2018.55 (2018) ; World Health Organization. Global diffusion of eHealth: Making universal health coverage achievable. Geneva: World Health Organization; 2016. [ Google Scholar ]; World Health Organization. WHO compendium of innovative health technologies for low-resource settings. Geneva: World Health Organization; 2015. [ Google Scholar ]; World Health Organization. The MAPS toolkit: mHealth assessment and planning for scale. Geneva: World Health Organization; 2015. [ Google Scholar ]; World Health Organization. Early detection, assessment and response to acute public health events: Implementation of early warning and response with a focus on event-based surveillance; Interim version. Lyon: World Health Organization; 2014. [ Google Scholar ]; World Health Organization. National eHealth strategy toolkit. Geneva: World Health Organization; 2011. [ Google Scholar ]; World Health Organization. mHealth: New horizons for health through mobile technologies. 2011. Available at https://www.who.int/goe/publications/goe_mhealth_web.pdf .
• 41. World Health Organization (2020, see note 1), paras. 22–30.
• 42. World Health Organization, Data and innovation: Global strategy on digital health, EB146(15) 2020.
• 43. Office of the United Nations High Commissioner for Human Rights. Guiding principles on business and human rights. New York: United Nations; 2011. [ Google Scholar ]
• PDF (137.8 KB)
• Collections

Similar articles

Cited by other articles, links to ncbi databases.

• Download .nbib .nbib
• Format: AMA APA MLA NLM

Add to Collections

Trojan Horse Virus

Discover how Trojans work, the types of Trojan malware, and how to recognize them.

What is a Trojan Horse Virus?

A Trojan Horse Virus is a type of malware that downloads onto a computer disguised as a legitimate program. The delivery method typically sees an attacker use social engineering to hide malicious code within legitimate software to try and gain users' system access with their software.

A simple way to answer the question " what is Trojan " is it is a type of malware that typically gets hidden as an attachment in an email or a free-to-download file, then transfers onto the user’s device. Once downloaded, the malicious code will execute the task the attacker designed it for, such as gain backdoor access to corporate systems, spy on users’ online activity, or steal sensitive data.

Indications of a Trojan being active on a device include unusual activity such as computer settings being changed unexpectedly.

History of the Trojan Horse

The original story of the Trojan horse can be found in the Aeneid by Virgil and the Odyssey by Homer. In the story, the enemies of the city of Troy were able to get inside the city gates using a horse they pretended was a gift. The soldiers hid inside the huge wooden horse and once inside, they climbed out and let the other soldiers in.

There are a few elements of the story that make the term “Trojan horse” an appropriate name for these types of cyber attacks :

• The Trojan horse was a unique solution to the target’s defenses . In the original story, the attackers had laid siege to the city for 10 years and hadn’t succeeded in defeating it. The Trojan horse gave them the access they had been wanting for a decade. A Trojan virus, similarly, can be a good way to get behind an otherwise tight set of defenses.
• The Trojan horse appeared to be a legitimate gift . In a similar vein, a Trojan virus looks like legitimate software.
• The soldiers in the Trojan horse controlled the city’s defense system . With a Trojan virus, the malware takes control of your computer, potentially leaving it vulnerable to other “invaders.”

Global Threat Landscape Report 2H 2023

FortiGuard Labs Global Threat Landscape Report 2H 2023 shows Cybercriminals Exploiting New Industry Vulnerabilities 43% Faster than 1H 2023.

How Trojans Work

Unlike computer viruses , a  Trojan horse  cannot manifest by itself, so it needs a user to download the server side of the application for it to work. This means the executable (.exe) file should be implemented and the program installed for the Trojan to attack a device’s system. 

A Trojan virus spreads through legitimate-looking emails and files attached to emails, which are spammed to reach the inboxes of as many people as possible. When the email is opened and the malicious attachment is downloaded, the Trojan server will install and automatically run every time the infected device is turned on. 

Devices can also be infected by a Trojan through social engineering tactics, which cyber criminals use to coerce users into downloading a malicious application. The malicious file could be hidden in banner advertisements, pop-up advertisements, or links on websites. 

A computer infected by Trojan malware can also spread it to other computers. A cyber criminal turns the device into a zombie computer, which means they have remote control of it without the user knowing. Hackers can then use the zombie computer to continue sharing malware across a network of devices, known as a botnet.

For example, a user might receive an email from someone they know, which includes an attachment that also looks legitimate. However, the attachment contains malicious code that executes and installs the Trojan on their device. The user often will not know anything untoward has occurred, as their computer may continue to work normally with no signs of it having been infected. 

The malware will reside undetected until the user takes a certain action, such as visiting a certain website or banking app. This will activate the malicious code, and the Trojan will carry out the hacker’s desired action. Depending on the type of Trojan and how it was created, the malware may delete itself, return to being dormant, or remain active on the device.

Trojans can also attack and infect smartphones and tablets using a strand of mobile malware. This could occur through the attacker redirecting traffic to a device connected to a Wi-Fi network and then using it to launch cyberattacks.

Most Common Types of Trojan Malware

There are many types of  Trojan horse viruses  that cyber criminals use to carry out different actions and different attack methods. The most common types of Trojan used include:

• Backdoor Trojan : A backdoor Trojan enables an attacker to gain remote access to a computer and take control of it using a backdoor. This enables the malicious actor to do whatever they want on the device, such as deleting files, rebooting the computer, stealing data, or uploading malware. A backdoor Trojan is frequently used to create a botnet through a network of zombie computers.
• Banker Trojan : A banker Trojan is designed to target users’ banking accounts and financial information. It attempts to steal account data for credit and debit cards, e-payment systems, and online banking systems.
• Distributed denial-of-service (DDoS) Trojan : These Trojan programs carry out attacks that overload a network with traffic. It will send multiple requests from a computer or a group of computers to overwhelm a target web address and cause a denial of service.
• Downloader Trojan : A downloader Trojan targets a computer that has already been infected by malware, then downloads and installs more malicious programs to it. This could be additional Trojans or other types of malware like adware .
• Exploit Trojan : An exploit malware program contains code or data that takes advantage of specific vulnerabilities within an application or computer system. The cyber criminal will target users through a method like a phishing attack, then use the code in the program to exploit a known vulnerability.
• Fake antivirus Trojan : A fake antivirus Trojan simulates the actions of legitimate antivirus software. The Trojan is designed to detect and remove threats like a regular antivirus program, then extort money from users for removing threats that may be nonexistent.
• Game-thief Trojan : A game-thief Trojan is specifically designed to steal user account information from people playing online games.
• Instant messaging (IM) Trojan : This type of Trojan targets IM services to steal users’ logins and passwords. It targets popular messaging platforms such as AOL Instant Messenger, ICQ, MSN Messenger, Skype, and Yahoo Pager.
• Infostealer Trojan : This malware can either be used to install Trojans or prevent the user from detecting the existence of a malicious program. The components of infostealer Trojans can make it difficult for antivirus systems to discover them in scans.
• Mailfinder Trojan : A mailfinder Trojan aims to harvest and steal email addresses that have been stored on a computer.
• Ransom Trojan : Ransom Trojans seek to impair a computer’s performance or block data on the device so that the user can no longer access or use it. The attacker will then hold the user or organization ransom until they pay a ransom fee to undo the device damage or unlock the affected data.
• Remote access Trojan : Similar to a backdoor Trojan, this strand of malware gives the attacker full control of a user’s computer. The cyber criminal maintains access to the device through a remote network connection, which they use to steal information or spy on a user.
• Rootkit Trojan : A rootkit is a type of malware that conceals itself on a user’s computer. Its purpose is to stop malicious programs from being detected, which enables malware to remain active on an infected computer for a longer period.
• Short message service (SMS) Trojan : An SMS Trojan infects mobile devices and is capable of sending and intercepting text messages. This includes sending messages to premium-rate phone numbers, which increases the costs on a user’s phone bill.
• Spy Trojan : Spy Trojans are designed to sit on a user’s computer and spy on their activity. This includes logging their keyboard actions, taking screenshots, accessing the applications they use, and tracking login data.
• SUNBURST : The SUNBURST trojan virus was released on numerous SolarWinds Orion Platform. Victims were compromised by trojanized versions of a legitimate SolarWinds digitally signed file named: SolarWinds.Orion.Core.BusinessLayer.dll. The trojanized file is a backdoor. Once on a target machine, it remains dormant for a two-week period and will then retrieve commands that allow it to transfer, execute, perform reconnaissance, reboot and halt system services. Communication occurs over http to predetermined URI's.

How to Recognize a Trojan Virus

A Trojan horse virus can often remain on a device for months without the user knowing their computer has been infected. However, telltale signs of the presence of a Trojan include computer settings suddenly changing, a loss in computer performance, or unusual activity taking place. The best way to recognize a Trojan is to search a device using a Trojan scanner or malware-removal software.

Examples of Trojan horse virus attacks

Trojan attacks have been responsible for causing major damage by infecting computers and stealing user data. Well-known examples of Trojans include:

• Rakhni Trojan:  The Rakhni Trojan delivers ransomware or a cryptojacker tool—which enables an attacker to use a device to mine cryptocurrency—to infect devices. 
• Tiny Banker:  Tiny Banker enables hackers to steal users’ financial details. It was discovered when it infected at least 20 U.S. banks.
• Zeus or Zbot:  Zeus is a toolkit that targets financial services and enables hackers to build their own Trojan malware. The source code uses techniques like form grabbing and keystroke logging to steal user credentials and financial details. 

How to protect yourself from Trojan viruses

Practicing good cyber hygiene is always the best first line of defense against Trojan viruses and other threats. Keep your operating systems updated and patched, run anti-virus software and allow it to scan your devices regularly, and avoid phishing attacks by carefully inspecting inbound emails.

While browsing the web, pay attention to the URLs displayed in your browser address bar. Also, inspect links before you click on them. And install a privacy or security extension from your browser vendor's extensions store.

Cybersecurity Resources

• Cybersecurity
• Types of Cyber Attacks
• IT vs OT Cybersecurity
• AI Cybersecurity
• Cyber Threat Intelligence
• Cybersecurity Management
• Network Security
• Data Security
• Email Security
• Endpoint Security
• Web Security
• Enterprise Security
• Cybersecurity Mesh

Quick Links

• Fortinet Products
• Fortinet Demos
• Analyst Reports

Speak with an Expert

Please fill out the form and a knowledgeable representative will get in touch with you soon.

By clicking submit you agree to the Fortinet Terms and Conditions & Privacy Policy .

• A Deep Dive Into IcedID Malware: Part I -...
• BlueBorne May Affect Billions of Bluetooth Devices
• New Banking Trojan “CHAVECLOAK” Targets Brazil

• Protection Guides
• Security Essentials

The Trojan Horse Virus: Understanding the Silent Threat

• May 16, 2023

The trojan horse virus is a significant cybersecurity threat. Now that businesses have moved their operations online, the risks from these hidden threats are growing. Many users and enterprises don’t detect the presence of a trojan until after substantial damage occurs.

In this in-depth exploration, we’ll navigate the intricate world of trojan viruses, detailing their modus operandi, their diverse variants, and the essential strategies businesses can employ to guard against them.

What is a Trojan Horse?

The term “Trojan Horse” in cybersecurity refers to malicious software or files disguised as legitimate. This deceptive tool is designed to mislead users about its true intent and thereby gain unauthorized access to their systems.

Etymology: Historical Context

Drawing its name from the famous Greek strategy, the “Trojan Horse” story revolves around Greek warriors concealed within a large wooden statue. Presented as a token of surrender, the Trojans unknowingly welcomed this “gift” into their fortified city. Later, the hidden warriors emerged, facilitating the Greek’s victory.

In the cyber context, trojan malware also deceives its way into systems. While the original Trojan Horse smuggled Greek warriors without detection, cyber trojans facilitate undetected malware that can spread once it has access to the system.

Operational Deception

Trojans present themselves in a myriad of ways: camouflaged within seemingly innocuous email attachments, masked as software patches, or even embedded within attractive applications. These disguises cater to users’ behaviors and preferences, enticing them to inadvertently initiate the trojan’s execution, and consequently, endangering their systems.

How Do Trojan Viruses Work?

Trojan viruses are the quintessential digital double agents, appearing harmless but possessing a harmful intent. By understanding their modus operandi, we can better defend against these cyber threats.

Silent Infiltration

Trojans can begin their clandestine operations once they enter the system; they can also remain dormant at first. Distinct from other types of malware, which might result in noticeable glitches or system slowdowns, trojans are designed to be discreet. They avoid any significant disruptions or overt activities that might alert users to their presence.

This stealth approach ensures their malicious tasks go undetected for prolonged periods, granting them ample time to achieve their objectives.

Diverse Malicious Activities

The utility of a trojan is largely defined by its architecture and the motivations of the orchestrating cybercriminal. For some, the end goal is data exfiltration, capturing critical credentials or financial data and relaying them to the adversary.

Others might weaponize the compromised device, turning it into a ‘bot’ under their command. Such bots are commonly aggregated into large networks, termed botnets, which can be mobilized for widespread cyber operations.

Additionally, there are trojans optimized for system exploitation, leveraging existing vulnerabilities to propagate additional malware or to embed persistent access channels, facilitating sustained unauthorized access for the attacker.

Types of Trojan Horse Attacks

As cybersecurity evolves, so do hacker strategies and tools. Trojan attacks, though longstanding, continue to adapt. Instead, they’ve diversified into an array of subtypes, each perfected for specific malicious endeavors. Understanding these distinctions is crucial for effective defense. Here are some of the most prevalent types of trojan attacks:

Backdoor Trojans

Backdoor trojans provide a covert access point for hackers. Once installed, they allow cybercriminals unparalleled remote control over an infected device. With this level of access, hackers can manipulate files, sending, receiving, deleting, or even altering their contents.

Furthermore, they can exploit this backdoor to introduce other forms of malware, further compromising the system’s security and integrity. This trojan type grants hackers full control over the compromised device.

Exploit Trojans

Exploit trojans are named aptly, as they exploit vulnerabilities within software applications. These vulnerabilities, often termed “zero-day,” offer a gateway for these trojans.

Once inside, the trojan provides a gateway or access point for other malicious software to enter and establish itself. They amplify the risk, making systems more susceptible to a broader range of threats. By capitalizing on these software weaknesses, exploit trojans serve as a bridge, ushering in more severe and diverse malware forms.

Downloader Trojans

Downloader trojans facilitate the introduction of additional malware. Their primary mission is singular yet potent: download and introduce newer iterations of malicious software.

Once activated, they connect to a remote server, from which they fetch and install subsequent malware versions. This continuous update mechanism ensures that the malware remains current, sidestepping potential detection methods or software patches. Additionally, they can be employed to download entirely different malware types, broadening the scope of the infection.

Bot Trojans

Bot trojans are among the most disruptive cyber-attacks. These trojans, in essence, turn infected devices into weapons. They coordinate these compromised devices to simultaneously send an overwhelming volume of traffic to a specific target—usually a server or a network.

The deluge of requests causes the target to slow down drastically or even crash altogether. Beyond the immediate disruption, these attacks can serve as a smoke screen, diverting attention from other simultaneous cyber-espionage activities or data breaches.

Banking Trojans

Banking trojans target and steal financial information. Once installed, they can record keystrokes when users access online banking sites, capture screenshots, or even modify banking web pages in real-time to deceive users.

Their endgame is clear: siphon off funds or engage in identity theft. Often, they may redirect users to fake banking websites, inducing them to enter their credentials, which are then stolen.

Rootkit Trojans

Rootkits are designed to provide continued privileged access to a computer while actively hiding their presence. Once installed, they mask their activities and processes, making detection and removal exceptionally challenging.

Their ability to manipulate system functions makes them effective for advanced persistent threats (APTs). Rootkit trojans can alter system logs, deceive system diagnostic tools, and even manipulate standard system commands.

How to Prevent Trojan Malware Attacks

To mitigate trojan malware attacks, integrate proactive strategies, elevate user knowledge, and deploy advanced cybersecurity tools. Follow this structured approach to maintain trojan-resistant systems.

Awareness and Education

Understanding the nature and tactics of different malware types is the first step toward prevention.

Stay Updated: One of the main vectors trojans exploit is outdated software. Regularly update your OS, browsers, and all software to ensure known vulnerabilities are patched.

Safe Browsing Habits: Avoid visiting suspicious websites, especially those without secure HTTPS connections. Beware of pop-up ads and unexpected downloads.

Email Caution: Don’t open email attachments or click on links from unknown senders. Even if the sender appears familiar, always double-check before clicking anything.

Download Diligence

Trojans often hide in seemingly harmless files or software.

Trusted Sources: Only download software or files from reputable sources. Avoid third-party app stores or obscure websites.

Scan Before Opening: Before running any new software or file, perform a thorough malware scan to check for hidden threats.

Implement Robust Cybersecurity Measures

Employing a comprehensive cybersecurity solution is vital for early threat detection and neutralization.

Real-Time Monitoring: Ensure that your security solution offers real-time monitoring to actively screen files as they are downloaded or modified.

Web Protection: Opt for tools that offer web protection, blocking malicious websites and preventing accidental visits.

Firewall Configuration: Ensure you have a properly configured firewall. This acts as a first line of defense, filtering incoming and outgoing traffic based on predetermined security rules.

Emsisoft’s Proactive Protection Against Trojans

Incorporating a cybersecurity solution like Emsisoft can further fortify your defenses.

Dual-Engine Power: Emsisoft Anti-Malware Home employs two antivirus and anti-malware technologies, optimizing detection and reducing system impact.

Web Protection & Browser Security: Emsisoft enhances browsing security by proactively blocking access to malicious domains, countering phishing schemes, and deterring unauthorized malware transfers.

Real-time File Guard: This feature constantly checks all downloaded and modified files using its award-winning scanner, fortified with machine learning capabilities.

Trojans are formidable adversaries, but by combining user diligence, secure online habits, and deploying tools like Emsisoft, you can establish a formidable defense against these covert threats.

Trojan Horse Virus: FAQs

Can i delete a trojan horse virus.

Yes, with the right antivirus solution like Emsisoft, trojan viruses can be identified, isolated, and deleted, ensuring they don’t wreak havoc on your system.

How do I know if I have a Trojan virus?

Signs may include reduced system performance, unexplained data usage, system crashes, or unauthorized system changes. It’s always best to run regular scans with trusted antivirus software to detect and remove threats.

Why are Trojan horse viruses so dangerous?

Trojan horse viruses are particularly treacherous because they disguise themselves as legitimate software or files, deceiving users into downloading and installing them. Once inside the system, they can perform a variety of malicious tasks without the user’s knowledge, ranging from data theft to system damage.

What’s the difference between a Trojan virus and regular malware?

While all trojans are malware, not all malware are trojans. The key distinction is deception. trojans pretend to be benign to gain access, whereas other malware might exploit software vulnerabilities directly.

Can Trojan viruses spread to other devices on the same network?

Yes, some trojans are designed to propagate across networks, exploiting vulnerabilities in other connected devices, thus amplifying their reach and impact.

How often do new Trojan variants emerge?

The digital threat landscape is continually evolving, with new trojan variants appearing regularly. This highlights the importance of keeping antivirus solutions updated to recognize and combat the latest threats.

Do mobile devices like smartphones get Trojan viruses?

Absolutely. While traditionally associated with desktops, trojans have evolved to target mobile devices. They often masquerade as popular apps or system updates.

Can Trojans steal personal information like passwords and credit card details?

Yes, many trojans are specifically designed to capture and transmit sensitive information to cybercriminals. This data can then be used for identity theft, fraudulent transactions, or even sold on the dark web.

I downloaded software from a trusted website. Can it still contain a Trojan?

While less likely, it’s possible. Cybercriminals sometimes compromise legitimate websites to distribute malware-laden software. Always ensure the authenticity of downloads and maintain updated security software.

How does Emsisoft protect against zero-day Trojan threats?

Emsisoft employs advanced machine learning algorithms and heuristic analysis to detect and block not only known trojans but also new, unidentified variants that exhibit suspicious behaviors.

Does updating my software really help against Trojans?

Yes, many trojans exploit known vulnerabilities in outdated software. Software updates often contain patches to address these vulnerabilities, thus shutting the door on potential trojan attacks.

What should I do if I suspect a Trojan infection?

Immediately run a comprehensive system scan with a trusted antivirus solution like Emsisoft. If a trojan is detected, follow the recommended steps to quarantine and remove the threat. Additionally, consider changing passwords and monitoring accounts for unusual activity.

How does Emsisoft’s dual-engine combat Trojans?

Emsisoft’s dual-engine technology combines the power of two antivirus and anti-malware engines to optimize the detection of trojans and reduce false positives. This synergy allows Emsisoft to recognize both known trojan signatures and unfamiliar patterns, ensuring comprehensive protection against both established and emerging trojan threats.

Does Emsisoft’s File Guard detect hidden Trojans?

Absolutely. Emsisoft’s Real-time File Guard is designed to constantly check all downloaded and modified files. With its award-winning scanner fortified by machine learning capabilities, it can detect hidden trojans even if they try to mask their malicious intent. This ensures that users are protected even from the most deceptive trojan attacks.

How does Emsisoft respond to detected Trojans?

Upon detecting a trojan, Emsisoft immediately isolates the threat to prevent it from executing any malicious operations. The software then alerts the user and recommends appropriate actions, which may include quarantining or deleting the infected file. Additionally, Emsisoft’s continuous monitoring ensures that any subsequent attempts by the trojan to modify or harm your system are swiftly blocked.

Trojan horse viruses, with their multifaceted attack vectors and evasive techniques, remain a critical cybersecurity concern for businesses on a global scale. Deeply understanding their propagation mechanisms, behavioral patterns, and variant classifications is foundational to devising effective countermeasures.

Emsisoft offers a robust defense matrix against trojans, integrating dual-engine antivirus and anti-malware technologies for optimized threat detection. Enhanced with real-time file guarding and fortified browser security, Emsisoft provides businesses with the necessary tools to thwart both known and emerging cyber threats.

Emsisoft Endpoint Protection: Award-Winning Security Made Simple

Protect your business from trojan horse viruses with Emsisoft. Get started today !

Zach is a multifaceted writer, specializing in finance, tech, and now broadening his expertise into the cybersecurity domain. When he’s not writing — Zach expresses his creativity through music as a singer, bassist, and producer.

What to read next

• Oct 17, 2024

Why Hackers May Be Targeting You

In today's evolving cyber threat landscape, small and mid-sized businesses can reduce their risk by understanding cybercriminals, addressing misconceptions, and enhancing their cybersecurity and incident response plans.

• Sep 16, 2024

Small Devices, Big Threats: The Dark Side of Removable Devices

Our new article highlights the security risks of removable devices like USB drives and SD cards, exploring real-world threats and offering key cybersecurity tips to protect sensitive data.

• Aug 16, 2024
• Spotlight on Ransomware

Ransomware Prevention Guide for Managed Service Providers

This comprehensive ransomware prevention guide outlines a strategic approach to preventing ransomware attacks, drawing upon industry best practices, compelling statistics, and expert insights.

Malware never sleeps. Be sure to stay up-to-date on emerging threats.

Trojan horse - Virus or malware?

Trojans are programs that claim to perform one function but actually do another, typically malicious. Trojans can take the form of attachments, downloads, and fake videos/programs.

.st0{fill:#0D3ECC;} DOWNLOAD MALWAREBYTES FOR FREE

Also for  Windows ,  iOS ,  Android ,  Chromebook  and  For Business

What is a Trojan horse? 

Beware of Greeks bearing gifts: In Virgil’s epic poem, The Aeneid , a clever Greek war strategist named Odysseus devises a plan to get his men inside the walled city of Troy. Instead of destroying or climbing the city’s walls, Odysseus sees another way in: with deception. Trojan soldiers watch as the Greeks appear to sail away, leaving behind a giant wooden horse as a token of surrender. Drunk on victory, the Trojans bring the horse inside their walls, only to discover Odysseus and his men were hidden inside the whole time.

Like its namesake, Trojan horse attacks (or simply “Trojans”) in computing are defined as a type of malware that use deception and social engineering to trick unsuspecting users into running seemingly benign computer programs that hide malicious ulterior motives. While technically they are not computer viruses but rather a separate form of malware, “Trojan horse virus” has become a common way to refer to them. 

How to characterize a Trojan

People sometimes think of a Trojan as a virus or a worm, but it is really neither. A virus is a file infector which can self-replicate and spread by attaching itself to another program. Worms are a type of malware similar to viruses, but they don’t need to be attached to another program in order to spread. Most viruses are now seen as legacy threats. Worms have also become rare, though they do pop up from time to time. 

“A Trojan can be like a Swiss Army knife of hacking.”

Think of Trojans as an umbrella term for  malware  delivery, because there are various kinds of Trojans. Depending on the criminal programmer’s intent, a Trojan can be like a Swiss Army knife of hacking —acting as a bit of standalone malware, or as a tool for other activities, such as delivering future payloads, communicating with the hacker at a later time, or opening up the system to attacks just as the Greek soldiers did from inside the Trojan fortress.

Put another way, a Trojan is a delivery strategy that hackers use to deliver any number of threats, from ransomware that immediately demands money, to spyware that conceals itself while it steals valuable information like personal and financial data.

Keep in mind that adware or PUPs (potentially unwanted programs) can be confused with Trojans because the delivery method is similar. For example, sometimes adware sneaks onto your computer as part of a bundle of software. You think you’re downloading one piece of software, but it’s really two or three. The program authors usually include the adware for marketing affiliate reasons so they can monetize their installer with offers—usually clearly labeled. Such adware bundlers are typically less malicious than Trojans. Also, they do not conceal themselves as Trojans do. But since the adware distribution vector resembles that of a Trojan, it can cause confusion.

Trojan virus symptoms

Trojans can look like just about anything, from free software and music, to browser advertisements to seemingly legitimate apps. Any number of unwise user behaviors can lead to a Trojan infection. Here are a few examples:

• Downloading cracked applications. Promises of an illegal free copy of a piece of software can be enticing, but the cracked software or activation key generator may conceal a Trojan attack.
• Downloading unknown free programs. What looks like a free game or screensaver could really be a Trojan, especially if you find it on an untrustworthy site.
• Opening infected attachments. You get a strange email with what looks like an important attachment, like an invoice or a delivery receipt, but it launches a Trojan when you click on it.
• Visiting shady websites. Some sites only need a moment to infect your computer. Others use tricks like pretending to stream a popular movie, but only if you download a certain video codec, which is really a Trojan.
• Any other social engineering that disguises itself by taking advantage of the latest trends. For example, in December 2017, an extensive installed base of Intel processors was discovered to be vulnerable to attack due to hardware issues. Hackers leveraged the ensuing panic by faking a patch called Smoke Loader , which installed a Trojan.

Trojan horse news

• SharkBot Android banking Trojan cleans users out
• Trojan Source: Hiding malicious code in plain sight
• Polazert Trojan using poisoned Google Search results to spread
• Bizarro: a banking Trojan full of nasty tricks
• Android Trojan xHelper uses persistent re-infection tactics: here’s how to remove
• New version of IcedID Trojan uses steganographic payloads
• New Android Trojan malware discovered in Google Play
• Trojans: What’s the real deal?

History of Trojan horse virus

Fun and games.

A program called ANIMAL, released in 1975, is generally considered the world’s first example of a Trojan attack. It presented itself as a simple game along the lines of twenty questions. However, behind the scenes, the game copied itself onto shared directories where other users could find it. From there, the game could spread across entire computer networks. For the most part, it was a harmless prank.

By December 1989, Trojan attacks weren’t for pranks anymore. Several thousand floppy disks containing the AIDS Trojan, the first known ransomware, were mailed to subscribers of PC Business World magazine and a World Health Organization AIDS conference mailing list. This DOS Trojan would lay dormant for 90 boot cycles, encrypt all filenames on the system, then display a notice asking the user to send $189 to a post office box in Panama in order to receive a decryption program.

In the 1990s, another infamous Trojan appeared disguised in the form of a simple Whack-A-Mole game. The program hid a version of NetBus , a program that allows one to remotely control a Microsoft Windows computer system over a network. With remote access, the attacker could do any number of things to a computer, even open its CD tray.

Love and money

In 2000, a Trojan called ILOVEYOU became the most destructive cyberattack in history at the time, with damages estimated up to $8.7 billion. Recipients received an email with what looked like a text attachment named “ILOVEYOU.” If they were curious enough to open it, the program would launch a script that would overwrite their files and send itself to every email in the user’s contact list. As clever as the worm was from a technical perspective, its use of social engineering was arguably its most ingenious component.

Through the 2000s, Trojan attacks continued to evolve, as did the threats they carried. Instead of targeting people’s curiosity, Trojans leveraged the rise of illegal downloading, disguising malware as music files, movies, or video codecs. In 2002, a Windows-based backdoor Trojan horse called Beast emerged and was capable of infecting almost all versions of Windows. Then, in late 2005, another backdoor Trojan called Zlob was distributed disguised as a required video codec in the form of ActiveX.

The 2000s also saw a rise in the number of Mac users, and cybercriminals followed suit. In 2006, the discovery of the first-ever  malware for Mac  OS X, a low-threat Trojan Horse known as OSX/Leap-A or OSX/Oompa-A, was announced.

The motivations behind Trojan attacks also began to shift around this time. Many early cyberattacks were motivated by a lust for power, control, or pure destruction. By the 2000s, an increasing number of attacks were motivated by greed. In 2007, a Trojan named Zeus targeted Microsoft Windows in order to steal banking information by means of a keylogger . In 2008, hackers released Torpig, also known as Sinowal and Mebroot, which turned off anti-virus applications, allowing others to access the computer, modify data, and steal confidential information like passwords and other sensitive data.

Bigger and badder

As cybercrime entered the 2010s, the greed continued, but hackers started thinking bigger. The rise of untraceable cryptocurrencies like Bitcoin led to a rise in ransomware attacks. In 2013, the Cryptolocker Trojan horse was discovered. Cryptolocker encrypts the files on a user’s hard drive and demands a ransom payment to the developer in order to receive the decryption key. Later that same year, a number of copycat ransomware Trojans were also discovered.

“Many of the Trojans we hear about today were designed to target a specific company, organization, or even government.”

The 2010s have also seen a shift in how victims are targeted. While many Trojans still use a blanket approach, attempting to infect as many users as possible, a more targeted approach seems to be on the rise. Many of the Trojans we hear about today were designed to target a specific company, organization, or even government. In 2010,  Stuxnet , a Windows Trojan, was detected. It was the first worm to attack computerized control systems, and there are suggestions that it was designed to target Iranian nuclear facilities. In 2016,  Tiny Banker Trojan  (Tinba) made headlines. Since its discovery, it has been found to have infected more than two dozen major banking institutions in the United States, including TD Bank, Chase, HSBC, Wells Fargo, PNC, and Bank of America. In 2018, the Emotet Trojan , once a banking Trojan in its own right, was seen to be delivering other types of malware, including other Trojans.

As one of the oldest and most common ways to deliver malware, the history of Trojans follows the history of cybercrime itself. What started as a way to prank one’s friends morphed into a way to destroy networks, steal information, make money, and seize power. The days of pranks are long gone. Instead, they continue to be serious cybercriminal tools used mostly for data stealing, espionage, and Distributed Denial of Service (DDoS) attacks .

What are the different types of a Trojan horse?

Trojans are versatile and very popular, so it’s difficult to characterize every kind. That said, most Trojans are designed to take control of a user’s computer, steal data, spy on users, or insert more malware on to a victim’s computer. Here are some common threats that come from Trojan attacks:

• Backdoors , which create remote access to your system. This kind of malware changes your security to allow the hacker to control the device, steal your data, and even download more malware.
• Spyware , which watches as you access online accounts or enter your credit card details. They then transmit your passwords and other identifying data back to the hacker.
• Zombifying Trojans, which take control of your computer to make it a slave in a network under the hacker’s control. This is the first step in creating a botnet (robot + network), which is often used to perform a distributed denial-of-service (DDoS) attack designed to take down a network by flooding it with traffic.
• Downloader  Trojans, Emotet being a good example, download and deploy other malicious modules, such as  ransomware  or keyloggers.
• Dialer Trojans, which might seem anachronistic since we don’t use dial-up modems any longer. But more on this in the next section.

Trojanized apps on Android smartphones

Trojans aren’t just a problem for laptops and desktops. They attack mobile devices as well , which makes sense given the tempting target presented by the billions of phones in use.

As with computers, the Trojan presents itself as a legitimate program, although it’s actually a fake version of the app full of malware.

Such Trojans usually lurk on unofficial and pirate app markets, enticing users to download them. The Trojans run the full gamut of mischief, infecting the phone with ads and keyloggers, which can steal information. Dialer Trojans can even generate revenue by sending out premium SMS texts.    

“Browser extension add-ons can act as Trojans as well….”

Android users have been the victims of Trojanized apps even from Google Play, which is constantly scanning and purging weaponized apps (many times after the Trojan’s discovery). Browser extension add-ons can act as Trojans as well, since it’s a payload capable of carrying embedded bad code.

While Google can remove browser add-ons from computers, on phones the Trojans can place transparent icons on the screen. It’s invisible to the user, but nonetheless reacts to a finger touch to launch its malware.

As for iPhone users, there’s good news: Apple’s restrictive policies regarding access to its App Store, iOS, and any other apps on the phone do a good job of preventing Trojan incursions. The only exception occurs for those who jailbreak their phones in their quest to download freebies from sites other than the App Store. Installing risky apps outside the Apple settings makes you vulnerable to Trojans.

How do I remove a Trojan virus?

Once a Trojan infects your device, the most universal way to clean it up and restore it to a desired state is to use a good quality, automated anti-malware tool and make a full system scan. If you’re worred about a Trojan infection, you can try our free Trojan scanner to check your device. 

There are many free antivirus and anti-malware programs—including our own products for Windows, Android, and Mac—which detect and remove adware and malware. In fact, Malwarebytes detects all known Trojans and more, since 80% of Trojan detection is done by heuristic analysis. We even help mitigate additional infection by cutting off communication between the inserted malware and any backend server, which isolates the Trojan. Our free malware tool will scan and remove existing malware, and our premium product will proactively scan and protect against malware like Trojans, viruses, worms , and ransomware. You can start with a free trial of our premium products to test them out for yourself.    

How do I prevent a Trojan virus?

Since Trojans rely on fooling users into letting them into the computer, most infections are avoidable by remaining vigilant and observing good security habits. Practice a healthy skepticism about websites offering free movies or gambling, opting instead to download free programs directly from the producer’s site rather than from unauthorized mirror servers .

Another precaution to consider: change the default Windows settings so that the real extensions of applications are always visible. This avoids getting tricked by an innocent looking icon.

Other good practices besides installing Malwarebytes for Windows , Malwarebytes for Android , and Malwarebytes for Mac include:

• Running periodic diagnostic scans
• Setting up automatic updates of your operating system software, ensuring you have the latest security updates
• Keeping your applications updated, ensuring any security vulnerabilities are patched
• Avoiding unsafe or suspicious websites
• Being skeptical of unverified attachments and links in unfamiliar emails
• Using complex passwords
• Staying behind a firewall

How Malwarebytes Premium protects you

At Malwarebytes, we are serious about infection prevention, which is why we aggressively block both websites and advertisements that we consider fraudulent or suspicious. For example, we block torrent sites like The Pirate Bay. Though many savvy users have used such sites without issue, some of the files they offer for download are really Trojans. For similar reasons, we also block cryptomining through browsers, but the user can choose to turn off the block and connect.

Our reasoning is that it’s better to err on the side of safety. If you want to take the risk, it’s easy to whitelist a site, but even tech-savvy types can fall for a convincing Trojan.

To learn more about Trojans, malware, and other cyberthreats, check out the Malwarebytes Labs blog . The things you learn may just help you avoid an infection down the road.

We use cookies for security purposes, to improve your experience on our site and tailor content for you. Our  Privacy Statement  explains how we use cookies.

The following form allows you to search all of BT.

• Practice management
• Managing your business

Case studies – malware attacks

As our lives increasingly move online, cybersecurity is an important consideration for all businesses, including financial advice businesses. For many financial advisers understanding how to protect sensitive client information from cyber attacks is becoming an important part of sound practice management.

A cyber attack is essentially an attempt by hackers to damage or destroy a computer network or system. One of the ways they can do this, is by installing malware (also known as malicious software)on your computer that allows unauthorised access to your files and can allow your activity to be watched without you knowing. Cyber criminals can then steal personal information and login details for secure websites to commit fraudulent activities.

In this article we discuss steps financial advisers can take to protect themselves from cyber attacks and explore different scenarios that demonstrate what a cyber attack can look like and how it can be prevented.

How can financial advisers improve their cyber security?

• Turn on auto-updates for your business operating system – such as windows or Apple’s ios, and be sure to keep computer security up to date with anti-virus and anti-spyware, as well as a good firewall.
• Back up important data – to an external hard drive, to a USB or a cloud to protect your business from lost data.
• Enable multi-factor authentication – start using two or more proofs of identity such as a PIN, passphrase, card or token, or finger print before access is enabled.
• Implement premissions on a ‘need to know’ basis – your employees don’t need to access everything. Be selective about what permissions are allowed to which staff.
• Conduct regular employee cyber training. Show staff how to ‘recognise, avoid, report, remove and recover’. Your employees can be your defence against cyber crime. Reward staff for their efforts; and
• Always be cautious of the below when receiving emails: - requests for money, especially urgent or overdue - Bank account changes - Attachments, especially from unknown or suspicious email addresses - Requests to check or confirm login details

Case studies - malware attacks

Protect yourself and your business

Cyber security assessment tool

The Department of Industry, Science, Energy and Resources has developed a tool to help you identify your business' cyber security strengths and areas where your business can improve. This tool will ask you a series of questions about how you manage your cyber security risks and based on your answers, you will receive a list of recommendations to action. You can download the recommendations as a PDF and access the tool here.

Scenario 1 – Advisory practices attacked by a trojan virus

Scenario 2 - Adviser subject to a malware attack causing account lock

Scenario 3 - opening email attachment causes all pcs in the office to shutdown, scenario 1 - advisory practices attacked by a trojan virus.

In this scenario, a number of advisory practices were subject to a targeted malware attack via a Trojan virus. This virus helped the cyber criminals access several advisers’ PCs and obtain the login details for systems that had been used.

This attempted fraud took place while the practice was closed over the Christmas holidays.

"We locked up the office that afternoon just before Christmas and went home. We were all looking forward to a nice long break, it’d been a busy year. We wouldn’t be back in the office until the New Year."

Transactions were submitted to the platform over the Christmas period using several advisers’ user IDs.

Direct credit (EFT) bank account details were edited to credit the cyber criminals' ‘mule’ Australian bank account. From this account the cyber criminals would be free to transfer the funds overseas.

Luckily for the practice, the fraud was uncovered before any funds were paid out.

"Even though we were on holiday, we all continued to check our transaction updates via the platform each day. We called the platform right away and they were able to stop the fraudulent payments in time."

Preventing this type of fraud

• Be diligent about checking platform transaction updates sent by email or displayed online. Specifically look out for withdrawal requests, new accounts opened, asset sell downs and changes to contact details.
• When taking annual leave, nominate a colleague to check platform transaction updates on your behalf in your absence.
• Call us immediately if you suspect fraud or malware on your system. We’ll suspend your login ID to attempt to prevent further fraudulent transactions.
• Bring in a tech specialist immediately to run and update security software and restore your systems back to normal.   

A Melbourne advisory practice was the target of a malware attack, having found malware on their system which locked their access to the platform. The malware allowed the cyber criminal to gain access to an adviser’s login details for all systems he had used recently.

The cyber criminals now had access to every website or account that required a login. This included personal banking, platform desktop software, Xplan software and Facebook.

The next time the adviser tried to log in to his platform desktop software, he was locked out.

He rang our account executive team to report his access was locked. He couldn’t login, even though he was using his correct user name and password.

The platform reset his password. The next day when the adviser tried again to login, he was locked out of the system again.

It became obvious that the adviser’s user ID had been compromised. At this point, the user ID was deleted.

Where you have had your platform access locked or you suspect fraud or malware on your system call us immediately as part of your reporting response so we can suspend your login ID to attempt to prevent further fraudulent transactions. Bring in a tech specialist immediately to run and update security software and restore your systems back to normal.

• Be on the lookout for requests to check and confirm login details.
• Increase the strength of your identifiers and ensure two or more proofs of identity are required before access to company systems is enabled.
• Use virus protection software to prevent hackers from accessing your information and to help protect you if you click on a suspicious link or visit a fake website.
• Schedule regular training for employees so that they can better detect malicious links or avoid downloading content from untrustworthy sources.  

A staff member in an advisory practice opened a file attached to an email received one morning.

It turned out the attachment contained a ‘worm’ that infected not only the staff member’s PC, it also spread to all other PCs in the practice network.

This malware caused all PCs in the office to shut down.

The adviser needed to use the platform software that day to ensure his clients participated in a Corporate Action that was closing the following day.

With help from their Business Development Manager, the office worked through the issue so they were able to log into the platform software to complete this critical work from a home laptop that hadn’t been infected with the virus.

• Never open attachments in emails if you don’t know or trust the source.
• Ensure your office network is protected with up-to-date anti-virus software.
• Call us immediately if you suspect fraud or malware on your system. We’ll suspend your login ID to attempt to prevent any further criminal activity.
• Bring in a tech specialist immediately to run and update security software and restore your systems back to normal.

Whitepaper: The critical trends impacting the future of US Wealth Advisory

Technology and advice landscapes, the power of perspective.