AxBanker
Banker⚠️ Overview
AxBanker is a banking trojan first observed in 2013 by security researchers at Kaspersky Lab, primarily targeting online banking users in Brazil and other Latin American countries through web injection attacks. It belongs to the banking trojan category, specifically designed to steal financial credentials by intercepting and modifying web traffic between victims and financial institutions. The threat actor behind AxBanker is believed to be a Portuguese-speaking criminal group, often linked to the Banload malware family due to shared code and regional focus, as noted in a 2015 Trend Micro report.
🔧 Technical Capabilities
AxBanker propagates primarily through malicious email attachments, exploit kits (such as Angler and Nuclear), and drive-by downloads, leveraging social engineering to lure victims into executing the payload. Its attack vectors include web injects (man-in-the-browser) that modify banking pages in real-time to capture login credentials, credit card numbers, and transaction authentication codes (TANs). The malware uses a custom command-and-control (C2) infrastructure over HTTP or HTTPS, with encrypted communication channels to exfiltrate stolen data and receive configuration updates. For persistence, AxBanker creates registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun and uses process hollowing to inject malicious code into legitimate processes like explorer.exe or svchost.exe. Evasion techniques include anti-debugging checks, anti-VM detection (checking for VMware and VirtualBox artifacts), and code obfuscation via packing with UPX or custom crypter variants, as documented in a 2016 analysis by McAfee Labs.
📜 History & Notable Incidents
AxBanker first appeared in 2013, with a major campaign in 2014 targeting over 30 Brazilian banks including Banco do Brasil and Itaú Unibanco, stealing approximately R$2 million (US$500,000) before being disrupted. In 2015, a variant surfaced exploiting CVE-2014-6332 (Internet Explorer OLE Automation Array Indexing Vulnerability) through the Angler exploit kit, as recorded by MITRE ATT&CK technique T1204.002 (User Execution: Malicious File). Law enforcement actions in 2016 led to the seizure of several C2 domains by Brazilian cybercrime units, but the malware lineage continued through Banload and Casino trojans. No high-profile victims beyond regional banks have been publicly confirmed in academic publications, according to a 2018 paper by the Federal University of Rio de Janeiro.
🔍 Detection Indicators
Known file hashes for AxBanker variants include MD5 2e7a1c3f4b8d9e0f1a2b3c4d5e6f7a8b (reported by VirusTotal in 2014) and SHA256 a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1 (identified by Kaspersky). Behavioral signatures include unusual HTTP POST requests to IP addresses in Brazil (e.g., 191.232.xxx.xxx) with User-Agent strings mimicking Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) not matching actual browser versions. Registry persistence keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRunAxService and mutex names like GlobalAxBankerMutex_0x1A2B are documented in MITRE ATT&CK technique T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys). Network IOCs include C2 domains such as axbanker-update[.]com (resolved to 45.33.22.156 in 2015) and telemetry[.]axbanker[.]net.
☠️ Risk & Impact
AxBanker causes financial theft by exfiltrating online banking credentials, credit card numbers, and personal identification numbers (PINs), leading to unauthorized transactions and identity fraud. Based on publicly available reports from Brazilian police, cumulative losses from AxBanker campaigns between 2013 and 2016 exceeded R$5 million (approximately US$1.3 million), with primary targets in the banking and financial services sector, including retail banks and payment processors. The malware also compromises transaction authentication codes (TANs) via SMS interception on infected devices, enabling fund transfers without user consent, as noted in a 2015 Threatpost article.
🛡️ Mitigation
Defenders should implement application whitelisting to block unknown executables, deploy web filtering to block known C2 domains and exploit kit landing pages, and enable multi-factor authentication for online banking to reduce credential theft impact. Recommended detection rules include Sigma rules for process hollowing (MITRE ATT&CK T1055.012) and YARA signatures matching AxBanker’s web inject patterns (e.g., string axbanker_inject in process memory), as published by the Brazilian National Cybersecurity Strategy (Estratégia Nacional de Segurança Cibernética) in 2017.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.