Don’t Blink! TrickBot Now Targets 10 German Savings Banks

IBM X-Force researchers following the development of the TrickBot Trojan noted that the malware is rapidly adding new targets and attack capabilities and has now officially advanced into Germany. The most recent additions to TrickBot’s configurations target 10 savings banks in the European country.

At this time, TrickBot is configured to use serverside webinjections on the targeted banks. Although TrickBot’s initial configurations featured only one bank in Germany, that has since changed. Now, with a total of 10 banks on its attack roster, it is clear that the malware’s operators invested in adapting spam and infection tools, as well as the webinjection attacks, to German-speaking customers.

The fact that TrickBot is only targeting savings banks raises the possibility that the criminals operating it have found a vulnerability common to those banks’ digital platforms or transaction authorization processes. The German bank targets are reminiscent of GozNym’s launch in Poland, during which the Trojan targeted numerous banks in the country, many of which were co-operative banks. GozNym itself has been targeting banks in Germany since August 2016.

Cybercrime in Germany

Germany, a founding member of the European Union (EU), is the largest national economy in Europe and the fourth largest economy by nominal gross domestic product (GDP) in the world. According to a Center for Strategic and International Studies (CSIS) report, cybercrime taxes the global economy with about 0.8 percent in relation to GDP. Germany suffers twice that rate — 1.6 percent. Since the country’s GDP was $3.84 trillion in 2015, cybercrime in the country may outpace its annual growth, which was 1.5 percent in 2015. This could potentially amount to $61.4 billion in losses.

In 2014, KPMG estimated that cybercrime losses in the country exceeded $58 billion in two years. Additionally, a Ponemon Institute study conducted in 2015 ranked Germany second on the list of countries where businesses see the highest losses from cybercriminal attacks. German companies lost an average of $7.5 million in each attack.

X-Force researchers indicated that members of German underground and Dark Web forums prolifically discuss banking and payment card fraud. The German underground is also replete with traders and peddlers of crimeware, accomplice searches, cybercrime services and fraud commodities sold by local criminals or Russian-speaking actors.

Read the white paper: How to outsmart Fraudsters with Cognitive Fraud Detection

Escalating Malicious Activity as Holidays Approach

The month of November has been a busy one for TrickBot, with its operators actively building new configurations and fake websites to support redirection attacks on the malware’s targets. IBM X-Force researchers have observed this heightened activity across other financial malware families as well, with a flurry of campaigns launched by different gangs.

Aside from TrickBot, other financial malware families appear to be gearing up for the holiday season. The Gozi Trojan has been quite active since late October, and malware such as Dridex, Qadars and Ramnit have been attempting to infect new users. Researchers also detected other notable campaigns in November that delivered Kronos as a point-of-sale (POS) malware carrier.

Additionally, it looks like QakBot, an old threat, is making a comeback of sorts. QakbBot is a banking Trojan of which X-Force researchers have been aware since 2009. It is a worm that can spread through networks shares. As such, QakBot was one of the first banking Trojans to target business bank accounts, which is a notable trend nowadays.

TrickBot in Germany Malware Campaigns

Figure 1: Global financial malware campaigns in November 2016 (Source: IBM Security)

TrickBot: One to Watch in 2017

TrickBot only just emerged as financial malware in October 2016, but its development is rapid, its capabilities are advanced and it is likely linked to other cybercrime gangs. Although the information security media has already begun to cover it, TrickBot is likely just beginning, setting up to launch much larger campaigns.

IBM X-Force researchers see TrickBot as one of the threats to watch for in 2017. It may well advance its attack methods to match Dyre’s, especially when it comes to targeting businesses. IBM X-Force made TrickBot indicators of compromise (IOCs) available on X-Force Exchange. Just type “TrickBot” into the search bar to find all related collections on this malware.

Related to this Article

Your team can add to the TrickBot collections by anonymously sharing additional IOCs on X-Force Exchange. This will ultimately help information security professionals fight cybercrime threats closer to real time, cutting malware’s lifelines.

Banks wishing to protect their customers from evolving threats and cybercrime modus operandi are invited to learn more about IBM Trusteer advanced fraud protection. Individuals looking to protect themselves from malware like TrickBot and other banking Trojans are invited to read our online safety tips.

Share this Article:
Limor Kessem

Executive Security Advisor, IBM

Limor Kessem is one of the top cyber intelligence experts at IBM Security. She is a seasoned security advocate, public speaker, and a regular blogger on the cutting-edge IBM Security Intelligence blog. Limor comes to IBM from organizations like RSA Security, where she spent 5 years as part of the RSA research labs and drove the FraudAction blog on RSA's Speaking of Security. She also served as the Marketing Director of Big Data analytics startup ThetaRay, where she created the company's cybersecurity thought leadership. Limor is considered an authority on emerging cybercrime threats. She participated as a highly appreciated speaker on live InfraGard New York webcasts (an FBI collaboration), spoke in RSA events worldwide, conducts live webinars on all things fraud and cybercrime, and writes a large variety of threat intelligence  publications. With her unique position at the intersection of multiple research teams at IBM, and her fingers on the pulse of current day threats, Limor covers the full spectrum of trends affecting consumers, corporations, and the industry as a whole. On the social side, Limor tweets security items as @iCyberFighter and is an avid Brazilian Jiu Jitsu fighter.