IBM X-Force researchers reported that new banking malware TrickBot is now fully operational and able to deploy two of the most advanced browser manipulation techniques: serverside injections and redirection attacks. While other Trojans like GozNym needed more time to prepare for such attack scenarios, TrickBot has been equipped with both capabilities from day one.

The TrickBot Trojan has been in development and testing for the past few months. At first not considered a banking Trojan per se, it became one when it implemented a webinjection mechanism in October 2016.

As of early November, X-Force researchers following the malware’s development noted that its operators launched attacks with two new configurations. This officially enabled redirection attacks against four banks in the U.K. An Australia-focused configuration is primarily concerned with serverside injections. Considering its aggressive start, however, X-Force Research expects to see TrickBot expand its target list and attack scope in the coming weeks.

TrickBot’s D-Day: Adding UK Banks to the Mix

During its initial testing infections, TrickBot primarily targeted banks in Australia, along with one Canadian bank and a regular expression (RegEx) URL for a digital banking platform common to regional banks in the U.S.

This scope changed almost overnight when TrickBot’s operators launched two new configurations in early November. The malware now targets the personal and business banking websites of financial institutes in the U.K., Australia, New Zealand, Canada and Germany.

Figure 1: TrickBot’s current bank targets per locale, per URL count (Source: IBM)

More than just adding URLs to the configuration, targeted banks in the U.K. were fitted with customized redirection attacks — the most advanced method to manipulate what victims see in their browsers. The redirections must have been prepared in advance or bought from another gang to push them through on time for the launch of the most recent infection campaigns.

According to our research, it appears that the gang has been running tests on TrickBot’s infection vectors too. Throughout the small-volume testing, TrickBot dabbled in malvertising leveraging the Rig exploit kit, malicious email attachments purporting to carry a fax message and, most recently, poisoned Office macros coming through the Godzilla loader. These may be TrickBot’s early stages of operation, but judging by these examples, it is evident that its operators are after business accounts. They have been sending malware-laden spam to companies, not just indiscriminate waves of email.

TrickBot’s infection methods are bound to change again at any given time, especially considering the malware’s operators are likely connected with other botnets and malware distributors. For example, researchers found that TrickBot has similarities with the Cutwail botnet’s malware and that it uses the same crypter as Vawtrak, Pushdo and Cutwail.

The Cutwail botnet was, coincidentally, also one of Dyre’s distribution methods during the time it was active. But is coincidence the right word here? According to X-Force Research, TrickBot was most likely either built by parts of the Dyre team or by someone who values this nefarious project and aims to build a similar beast.

What’s Next for TrickBot?

TrickBot has been in testing for about two to three months now, and yet its developers have already managed to implement two of the most advanced browser manipulation techniques observed in banking malware in the past few years. TrickBot is moving fast, and we expect to see it amplify infection campaigns and fraud attacks, sharpen its aim on business and corporate accounts, and paint itself into the banking malware picture in the coming months.

Indicators of compromise (IOCs) and information on TrickBot are shared and updated on X-Force Exchange. We invite you to use the collection and add your input.

Learn more about how to outsmart Fraudsters with Cognitive Fraud Detection

More from Malware

ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

7 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read