IBM X-Force researchers following the development of the TrickBot Trojan noted that the malware is rapidly adding new targets and attack capabilities and has now officially advanced into Germany. The most recent additions to TrickBot’s configurations target 10 savings banks in the European country.

At this time, TrickBot is configured to use serverside webinjections on the targeted banks. Although TrickBot’s initial configurations featured only one bank in Germany, that has since changed. Now, with a total of 10 banks on its attack roster, it is clear that the malware’s operators invested in adapting spam and infection tools, as well as the webinjection attacks, to German-speaking customers.

The fact that TrickBot is only targeting savings banks raises the possibility that the criminals operating it have found a vulnerability common to those banks’ digital platforms or transaction authorization processes. The German bank targets are reminiscent of GozNym’s launch in Poland, during which the Trojan targeted numerous banks in the country, many of which were co-operative banks. GozNym itself has been targeting banks in Germany since August 2016.

Cybercrime in Germany

Germany, a founding member of the European Union (EU), is the largest national economy in Europe and the fourth largest economy by nominal gross domestic product (GDP) in the world. According to a Center for Strategic and International Studies (CSIS) report, cybercrime taxes the global economy with about 0.8 percent in relation to GDP. Germany suffers twice that rate — 1.6 percent. Since the country’s GDP was $3.84 trillion in 2015, cybercrime in the country may outpace its annual growth, which was 1.5 percent in 2015. This could potentially amount to $61.4 billion in losses.

In 2014, KPMG estimated that cybercrime losses in the country exceeded $58 billion in two years. Additionally, a Ponemon Institute study conducted in 2015 ranked Germany second on the list of countries where businesses see the highest losses from cybercriminal attacks. German companies lost an average of $7.5 million in each attack.

X-Force researchers indicated that members of German underground and Dark Web forums prolifically discuss banking and payment card fraud. The German underground is also replete with traders and peddlers of crimeware, accomplice searches, cybercrime services and fraud commodities sold by local criminals or Russian-speaking actors.

Read the white paper: How to outsmart Fraudsters with Cognitive Fraud Detection

Escalating Malicious Activity as Holidays Approach

The month of November has been a busy one for TrickBot, with its operators actively building new configurations and fake websites to support redirection attacks on the malware’s targets. IBM X-Force researchers have observed this heightened activity across other financial malware families as well, with a flurry of campaigns launched by different gangs.

Aside from TrickBot, other financial malware families appear to be gearing up for the holiday season. The Gozi Trojan has been quite active since late October, and malware such as Dridex, Qadars and Ramnit have been attempting to infect new users. Researchers also detected other notable campaigns in November that delivered Kronos as a point-of-sale (POS) malware carrier.

Additionally, it looks like QakBot, an old threat, is making a comeback of sorts. QakbBot is a banking Trojan of which X-Force researchers have been aware since 2009. It is a worm that can spread through networks shares. As such, QakBot was one of the first banking Trojans to target business bank accounts, which is a notable trend nowadays.

Figure 1: Global financial malware campaigns in November 2016 (Source: IBM Security)

TrickBot: One to Watch in 2017

TrickBot only just emerged as financial malware in October 2016, but its development is rapid, its capabilities are advanced and it is likely linked to other cybercrime gangs. Although the information security media has already begun to cover it, TrickBot is likely just beginning, setting up to launch much larger campaigns.

IBM X-Force researchers see TrickBot as one of the threats to watch for in 2017. It may well advance its attack methods to match Dyre’s, especially when it comes to targeting businesses. IBM X-Force made TrickBot indicators of compromise (IOCs) available on X-Force Exchange. Just type “TrickBot” into the search bar to find all related collections on this malware.

Your team can add to the TrickBot collections by anonymously sharing additional IOCs on X-Force Exchange. This will ultimately help information security professionals fight cybercrime threats closer to real time, cutting malware’s lifelines.

Banks wishing to protect their customers from evolving threats and cybercrime modus operandi are invited to learn more about IBM Trusteer advanced fraud protection. Individuals looking to protect themselves from malware like TrickBot and other banking Trojans are invited to read our online safety tips.

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today