March 25, 2019
By Shane Schick 2 min read

Security researchers warned that the cybercriminals behind the two banking Trojans are now collaborating to perform man-in-the-middle (MitM) attacks.

On March 17, Crowdstrike discovered a BokBot proxy module called shadDll in conjunction with TrickBot. The code for the two banking Trojans is 81 percent similar, the researchers said, which means the proxy module can be seamlessly integrated into TrickBot’s extensible, modular framework. It’s possible the two threat groups have been collaborating on an ongoing basis, the researchers added.

Adding New Features Through Threat Group Collaboration

After infecting a machine by duping victims into installing malware via phishing messages, TrickBot can use the shadDll module to access networking functions and install illegitimate secure socket layer (SSL) certificates. At this point, it can do many of the things BokBot can do, including intercepting web traffic and redirecting it, taking screenshots to steal personal information, and injecting other malicious code.

The researchers have attributed the BokBot Trojan to a cybercriminal group called Lunar Spider, while TrickBot is believed to have been created by a group called Wizard Spider. TrickBot, which first emerged in late 2016, has proven highly versatile in attacking financial services firms, and Wizard Spider may include members of the group that developed the earlier Dyre malware, according to Crowdstrike.

How to Stay Ahead of TrickBot’s Tricks

The “IBM X-Force Threat Intelligence Index” for 2019 identified TrickBot as the most prevalent financial malware family of last year, representing 13 percent of all campaign activity. This was in part due to the ability of various threat actors to make use of the Trojan’s variants. For example, the report showed that IcedID distributed TrickBot within its own botnet in a 2018 campaign. However, experts noted that proper security controls, regular user education and planned incident response can help keep this threat at bay.

X-Force researchers also discovered that TrickBot has been used to steal cryptocurrency, and distribution of the BokBot module may make it even more popular. Organizations should employ advanced malware protection to receive alerts for high-risk devices and notifications when malware has been detected to ensure this cooperation among cybercriminals doesn’t lead to even deadlier attacks.

 |  |  |  |  |  |  |  |  |  | 
Shane Schick
Writer & Editor

More from

September 27, 2023

Cost of a data breach 2023: Geographical breakdowns

4 min read - Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches. To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023…

September 26, 2023

The Growing Risks of Shadow IT and SaaS Sprawl

4 min read - In today's fast-paced digital landscape, there is no shortage of apps and Software-as-a-Service (SaaS) solutions tailored to meet the diverse needs of businesses across different industries. This incredible array of options has revolutionized how we work, providing cost-effective and user-friendly tools that streamline tasks and boost productivity. However, this ever-expanding application ecosystem comes with its challenges: namely, shadow IT and SaaS sprawl. According to a recent study by Entrust, 77% of IT professionals are concerned about shadow IT becoming a…

September 25, 2023

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

September 21, 2023

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature