IBM X-Force researchers reported that new banking malware TrickBot is now fully operational and able to deploy two of the most advanced browser manipulation techniques: serverside injections and redirection attacks. While other Trojans like GozNym needed more time to prepare for such attack scenarios, TrickBot has been equipped with both capabilities from day one.

The TrickBot Trojan has been in development and testing for the past few months. At first not considered a banking Trojan per se, it became one when it implemented a webinjection mechanism in October 2016.

As of early November, X-Force researchers following the malware’s development noted that its operators launched attacks with two new configurations. This officially enabled redirection attacks against four banks in the U.K. An Australia-focused configuration is primarily concerned with serverside injections. Considering its aggressive start, however, X-Force Research expects to see TrickBot expand its target list and attack scope in the coming weeks.

TrickBot’s D-Day: Adding UK Banks to the Mix

During its initial testing infections, TrickBot primarily targeted banks in Australia, along with one Canadian bank and a regular expression (RegEx) URL for a digital banking platform common to regional banks in the U.S.

This scope changed almost overnight when TrickBot’s operators launched two new configurations in early November. The malware now targets the personal and business banking websites of financial institutes in the U.K., Australia, New Zealand, Canada and Germany.

Figure 1: TrickBot’s current bank targets per locale, per URL count (Source: IBM)

More than just adding URLs to the configuration, targeted banks in the U.K. were fitted with customized redirection attacks — the most advanced method to manipulate what victims see in their browsers. The redirections must have been prepared in advance or bought from another gang to push them through on time for the launch of the most recent infection campaigns.

According to our research, it appears that the gang has been running tests on TrickBot’s infection vectors too. Throughout the small-volume testing, TrickBot dabbled in malvertising leveraging the Rig exploit kit, malicious email attachments purporting to carry a fax message and, most recently, poisoned Office macros coming through the Godzilla loader. These may be TrickBot’s early stages of operation, but judging by these examples, it is evident that its operators are after business accounts. They have been sending malware-laden spam to companies, not just indiscriminate waves of email.

TrickBot’s infection methods are bound to change again at any given time, especially considering the malware’s operators are likely connected with other botnets and malware distributors. For example, researchers found that TrickBot has similarities with the Cutwail botnet’s malware and that it uses the same crypter as Vawtrak, Pushdo and Cutwail.

The Cutwail botnet was, coincidentally, also one of Dyre’s distribution methods during the time it was active. But is coincidence the right word here? According to X-Force Research, TrickBot was most likely either built by parts of the Dyre team or by someone who values this nefarious project and aims to build a similar beast.

What’s Next for TrickBot?

TrickBot has been in testing for about two to three months now, and yet its developers have already managed to implement two of the most advanced browser manipulation techniques observed in banking malware in the past few years. TrickBot is moving fast, and we expect to see it amplify infection campaigns and fraud attacks, sharpen its aim on business and corporate accounts, and paint itself into the banking malware picture in the coming months.

Indicators of compromise (IOCs) and information on TrickBot are shared and updated on X-Force Exchange. We invite you to use the collection and add your input.

Learn more about how to outsmart Fraudsters with Cognitive Fraud Detection

More from Malware

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same…