IBM X-Force researchers following the development of the TrickBot Trojan noted that the malware is rapidly adding new targets and attack capabilities and has now officially advanced into Germany. The most recent additions to TrickBot’s configurations target 10 savings banks in the European country.

At this time, TrickBot is configured to use serverside webinjections on the targeted banks. Although TrickBot’s initial configurations featured only one bank in Germany, that has since changed. Now, with a total of 10 banks on its attack roster, it is clear that the malware’s operators invested in adapting spam and infection tools, as well as the webinjection attacks, to German-speaking customers.

The fact that TrickBot is only targeting savings banks raises the possibility that the criminals operating it have found a vulnerability common to those banks’ digital platforms or transaction authorization processes. The German bank targets are reminiscent of GozNym’s launch in Poland, during which the Trojan targeted numerous banks in the country, many of which were co-operative banks. GozNym itself has been targeting banks in Germany since August 2016.

Cybercrime in Germany

Germany, a founding member of the European Union (EU), is the largest national economy in Europe and the fourth largest economy by nominal gross domestic product (GDP) in the world. According to a Center for Strategic and International Studies (CSIS) report, cybercrime taxes the global economy with about 0.8 percent in relation to GDP. Germany suffers twice that rate — 1.6 percent. Since the country’s GDP was $3.84 trillion in 2015, cybercrime in the country may outpace its annual growth, which was 1.5 percent in 2015. This could potentially amount to $61.4 billion in losses.

In 2014, KPMG estimated that cybercrime losses in the country exceeded $58 billion in two years. Additionally, a Ponemon Institute study conducted in 2015 ranked Germany second on the list of countries where businesses see the highest losses from cybercriminal attacks. German companies lost an average of $7.5 million in each attack.

X-Force researchers indicated that members of German underground and Dark Web forums prolifically discuss banking and payment card fraud. The German underground is also replete with traders and peddlers of crimeware, accomplice searches, cybercrime services and fraud commodities sold by local criminals or Russian-speaking actors.

Read the white paper: How to outsmart Fraudsters with Cognitive Fraud Detection

Escalating Malicious Activity as Holidays Approach

The month of November has been a busy one for TrickBot, with its operators actively building new configurations and fake websites to support redirection attacks on the malware’s targets. IBM X-Force researchers have observed this heightened activity across other financial malware families as well, with a flurry of campaigns launched by different gangs.

Aside from TrickBot, other financial malware families appear to be gearing up for the holiday season. The Gozi Trojan has been quite active since late October, and malware such as Dridex, Qadars and Ramnit have been attempting to infect new users. Researchers also detected other notable campaigns in November that delivered Kronos as a point-of-sale (POS) malware carrier.

Additionally, it looks like QakBot, an old threat, is making a comeback of sorts. QakbBot is a banking Trojan of which X-Force researchers have been aware since 2009. It is a worm that can spread through networks shares. As such, QakBot was one of the first banking Trojans to target business bank accounts, which is a notable trend nowadays.

Figure 1: Global financial malware campaigns in November 2016 (Source: IBM Security)

TrickBot: One to Watch in 2017

TrickBot only just emerged as financial malware in October 2016, but its development is rapid, its capabilities are advanced and it is likely linked to other cybercrime gangs. Although the information security media has already begun to cover it, TrickBot is likely just beginning, setting up to launch much larger campaigns.

IBM X-Force researchers see TrickBot as one of the threats to watch for in 2017. It may well advance its attack methods to match Dyre’s, especially when it comes to targeting businesses. IBM X-Force made TrickBot indicators of compromise (IOCs) available on X-Force Exchange. Just type “TrickBot” into the search bar to find all related collections on this malware.

Your team can add to the TrickBot collections by anonymously sharing additional IOCs on X-Force Exchange. This will ultimately help information security professionals fight cybercrime threats closer to real time, cutting malware’s lifelines.

Banks wishing to protect their customers from evolving threats and cybercrime modus operandi are invited to learn more about IBM Trusteer advanced fraud protection. Individuals looking to protect themselves from malware like TrickBot and other banking Trojans are invited to read our online safety tips.

More from Banking & Finance

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today