IBM X-Force researchers following the development of the TrickBot Trojan noted that the malware is rapidly adding new targets and attack capabilities and has now officially advanced into Germany. The most recent additions to TrickBot’s configurations target 10 savings banks in the European country.

At this time, TrickBot is configured to use serverside webinjections on the targeted banks. Although TrickBot’s initial configurations featured only one bank in Germany, that has since changed. Now, with a total of 10 banks on its attack roster, it is clear that the malware’s operators invested in adapting spam and infection tools, as well as the webinjection attacks, to German-speaking customers.

The fact that TrickBot is only targeting savings banks raises the possibility that the criminals operating it have found a vulnerability common to those banks’ digital platforms or transaction authorization processes. The German bank targets are reminiscent of GozNym’s launch in Poland, during which the Trojan targeted numerous banks in the country, many of which were co-operative banks. GozNym itself has been targeting banks in Germany since August 2016.

Cybercrime in Germany

Germany, a founding member of the European Union (EU), is the largest national economy in Europe and the fourth largest economy by nominal gross domestic product (GDP) in the world. According to a Center for Strategic and International Studies (CSIS) report, cybercrime taxes the global economy with about 0.8 percent in relation to GDP. Germany suffers twice that rate — 1.6 percent. Since the country’s GDP was $3.84 trillion in 2015, cybercrime in the country may outpace its annual growth, which was 1.5 percent in 2015. This could potentially amount to $61.4 billion in losses.

In 2014, KPMG estimated that cybercrime losses in the country exceeded $58 billion in two years. Additionally, a Ponemon Institute study conducted in 2015 ranked Germany second on the list of countries where businesses see the highest losses from cybercriminal attacks. German companies lost an average of $7.5 million in each attack.

X-Force researchers indicated that members of German underground and Dark Web forums prolifically discuss banking and payment card fraud. The German underground is also replete with traders and peddlers of crimeware, accomplice searches, cybercrime services and fraud commodities sold by local criminals or Russian-speaking actors.

Read the white paper: How to outsmart Fraudsters with Cognitive Fraud Detection

Escalating Malicious Activity as Holidays Approach

The month of November has been a busy one for TrickBot, with its operators actively building new configurations and fake websites to support redirection attacks on the malware’s targets. IBM X-Force researchers have observed this heightened activity across other financial malware families as well, with a flurry of campaigns launched by different gangs.

Aside from TrickBot, other financial malware families appear to be gearing up for the holiday season. The Gozi Trojan has been quite active since late October, and malware such as Dridex, Qadars and Ramnit have been attempting to infect new users. Researchers also detected other notable campaigns in November that delivered Kronos as a point-of-sale (POS) malware carrier.

Additionally, it looks like QakBot, an old threat, is making a comeback of sorts. QakbBot is a banking Trojan of which X-Force researchers have been aware since 2009. It is a worm that can spread through networks shares. As such, QakBot was one of the first banking Trojans to target business bank accounts, which is a notable trend nowadays.

Figure 1: Global financial malware campaigns in November 2016 (Source: IBM Security)

TrickBot: One to Watch in 2017

TrickBot only just emerged as financial malware in October 2016, but its development is rapid, its capabilities are advanced and it is likely linked to other cybercrime gangs. Although the information security media has already begun to cover it, TrickBot is likely just beginning, setting up to launch much larger campaigns.

IBM X-Force researchers see TrickBot as one of the threats to watch for in 2017. It may well advance its attack methods to match Dyre’s, especially when it comes to targeting businesses. IBM X-Force made TrickBot indicators of compromise (IOCs) available on X-Force Exchange. Just type “TrickBot” into the search bar to find all related collections on this malware.

Your team can add to the TrickBot collections by anonymously sharing additional IOCs on X-Force Exchange. This will ultimately help information security professionals fight cybercrime threats closer to real time, cutting malware’s lifelines.

Banks wishing to protect their customers from evolving threats and cybercrime modus operandi are invited to learn more about IBM Trusteer advanced fraud protection. Individuals looking to protect themselves from malware like TrickBot and other banking Trojans are invited to read our online safety tips.

More from Banking & Finance

How to Spot a Nefarious Cryptocurrency Platform

Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…