IBM X-Force researchers reported that new banking malware TrickBot is now fully operational and able to deploy two of the most advanced browser manipulation techniques: serverside injections and redirection attacks. While other Trojans like GozNym needed more time to prepare for such attack scenarios, TrickBot has been equipped with both capabilities from day one.
The TrickBot Trojan has been in development and testing for the past few months. At first not considered a banking Trojan per se, it became one when it implemented a webinjection mechanism in October 2016.
As of early November, X-Force researchers following the malware’s development noted that its operators launched attacks with two new configurations. This officially enabled redirection attacks against four banks in the U.K. An Australia-focused configuration is primarily concerned with serverside injections. Considering its aggressive start, however, X-Force Research expects to see TrickBot expand its target list and attack scope in the coming weeks.
TrickBot’s D-Day: Adding UK Banks to the Mix
During its initial testing infections, TrickBot primarily targeted banks in Australia, along with one Canadian bank and a regular expression (RegEx) URL for a digital banking platform common to regional banks in the U.S.
This scope changed almost overnight when TrickBot’s operators launched two new configurations in early November. The malware now targets the personal and business banking websites of financial institutes in the U.K., Australia, New Zealand, Canada and Germany.
Figure 1: TrickBot’s current bank targets per locale, per URL count (Source: IBM)
More than just adding URLs to the configuration, targeted banks in the U.K. were fitted with customized redirection attacks — the most advanced method to manipulate what victims see in their browsers. The redirections must have been prepared in advance or bought from another gang to push them through on time for the launch of the most recent infection campaigns.
According to our research, it appears that the gang has been running tests on TrickBot’s infection vectors too. Throughout the small-volume testing, TrickBot dabbled in malvertising leveraging the Rig exploit kit, malicious email attachments purporting to carry a fax message and, most recently, poisoned Office macros coming through the Godzilla loader. These may be TrickBot’s early stages of operation, but judging by these examples, it is evident that its operators are after business accounts. They have been sending malware-laden spam to companies, not just indiscriminate waves of email.
TrickBot’s infection methods are bound to change again at any given time, especially considering the malware’s operators are likely connected with other botnets and malware distributors. For example, researchers found that TrickBot has similarities with the Cutwail botnet’s malware and that it uses the same crypter as Vawtrak, Pushdo and Cutwail.
The Cutwail botnet was, coincidentally, also one of Dyre’s distribution methods during the time it was active. But is coincidence the right word here? According to X-Force Research, TrickBot was most likely either built by parts of the Dyre team or by someone who values this nefarious project and aims to build a similar beast.
What’s Next for TrickBot?
TrickBot has been in testing for about two to three months now, and yet its developers have already managed to implement two of the most advanced browser manipulation techniques observed in banking malware in the past few years. TrickBot is moving fast, and we expect to see it amplify infection campaigns and fraud attacks, sharpen its aim on business and corporate accounts, and paint itself into the banking malware picture in the coming months.
Indicators of compromise (IOCs) and information on TrickBot are shared and updated on X-Force Exchange. We invite you to use the collection and add your input.