IBM X-Force researchers reported that new banking malware TrickBot is now fully operational and able to deploy two of the most advanced browser manipulation techniques: serverside injections and redirection attacks. While other Trojans like GozNym needed more time to prepare for such attack scenarios, TrickBot has been equipped with both capabilities from day one.

The TrickBot Trojan has been in development and testing for the past few months. At first not considered a banking Trojan per se, it became one when it implemented a webinjection mechanism in October 2016.

As of early November, X-Force researchers following the malware’s development noted that its operators launched attacks with two new configurations. This officially enabled redirection attacks against four banks in the U.K. An Australia-focused configuration is primarily concerned with serverside injections. Considering its aggressive start, however, X-Force Research expects to see TrickBot expand its target list and attack scope in the coming weeks.

TrickBot’s D-Day: Adding UK Banks to the Mix

During its initial testing infections, TrickBot primarily targeted banks in Australia, along with one Canadian bank and a regular expression (RegEx) URL for a digital banking platform common to regional banks in the U.S.

This scope changed almost overnight when TrickBot’s operators launched two new configurations in early November. The malware now targets the personal and business banking websites of financial institutes in the U.K., Australia, New Zealand, Canada and Germany.

Figure 1: TrickBot’s current bank targets per locale, per URL count (Source: IBM)

More than just adding URLs to the configuration, targeted banks in the U.K. were fitted with customized redirection attacks — the most advanced method to manipulate what victims see in their browsers. The redirections must have been prepared in advance or bought from another gang to push them through on time for the launch of the most recent infection campaigns.

According to our research, it appears that the gang has been running tests on TrickBot’s infection vectors too. Throughout the small-volume testing, TrickBot dabbled in malvertising leveraging the Rig exploit kit, malicious email attachments purporting to carry a fax message and, most recently, poisoned Office macros coming through the Godzilla loader. These may be TrickBot’s early stages of operation, but judging by these examples, it is evident that its operators are after business accounts. They have been sending malware-laden spam to companies, not just indiscriminate waves of email.

TrickBot’s infection methods are bound to change again at any given time, especially considering the malware’s operators are likely connected with other botnets and malware distributors. For example, researchers found that TrickBot has similarities with the Cutwail botnet’s malware and that it uses the same crypter as Vawtrak, Pushdo and Cutwail.

The Cutwail botnet was, coincidentally, also one of Dyre’s distribution methods during the time it was active. But is coincidence the right word here? According to X-Force Research, TrickBot was most likely either built by parts of the Dyre team or by someone who values this nefarious project and aims to build a similar beast.

What’s Next for TrickBot?

TrickBot has been in testing for about two to three months now, and yet its developers have already managed to implement two of the most advanced browser manipulation techniques observed in banking malware in the past few years. TrickBot is moving fast, and we expect to see it amplify infection campaigns and fraud attacks, sharpen its aim on business and corporate accounts, and paint itself into the banking malware picture in the coming months.

Indicators of compromise (IOCs) and information on TrickBot are shared and updated on X-Force Exchange. We invite you to use the collection and add your input.

Learn more about how to outsmart Fraudsters with Cognitive Fraud Detection

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today