The TrickBot Trojan emerged in October 2016 as new banking malware, boasting a code that appears to have more than one feature in common with the Dyre Trojan. From its very early days, TrickBot already possessed the capability to launch redirection attacks, and judging by its rapid development, IBM X-Force researchers believe it is poised to become a rising cybercrime threat in 2017.

X-Force researchers following TrickBot’s evolution noted that the malware’s new configurations have recently expanded to include new targets in countries where TrickBot is already operating, such as Australia, the U.K., New Zealand and Germany. But beyond the existing geographies, TrickBot now deploys redirection attacks in Singapore, India and Malaysia.

Figure 1: TrickBot’s current targets by location. (Source: IBM)

Old Tricks, New Country

TrickBot is not the first malware to head for Singapore right after it hits English-speaking geographies. The small yet prosperous country has been seeing increasing interest from cybercrime gangs — especially Dridex, but also Dyre, Neverquest and Tinba, to name a few, per IBM X-Force.

Although it is primarily a Chinese-speaking country, the thriving growth of international business in Singapore is driving most organizations to also communicate in English. And since most malware campaigns are launched in English, cybercrime gangs don’t have to invest much into adapting their spam and tools in Singapore.

Furthermore, the perpetual rise of multinational corporations conducting business in Singapore makes the region even riper for financial cyberattacks due to a constant rise in the type of high-value accounts. According to X-Force researchers, TrickBot focuses its attacks on business accounts, corporate and commercial banking, and wealth management across all targeted banks.

Figure 2: TrickBot’s current targets per service type. (Source: IBM)

TrickBot’s recent configurations also target commercial banks in India and Malaysia, which may mean that the gang is looking to create cash-out options in those countries, judging by its growing focus on the Asia-Pacific region.

Read the white paper: How to outsmart Fraudsters with Cognitive Fraud Detection

Redirection Attacks Dominate

TrickBot’s operators are apparently working hard to create new redirection attacks for the malware. In the most recent configuration, the ratio of redirection attack in the configuration was adapted to 58 percent of the URLs targeted by the malware. In comparison, the previous configuration only featured redirections for 35 percent of the target URLs.

Figure 3: TrickBot’s current attack M.O. per configuration file. (Source: IBM)

If we compare TrickBot to other Trojans that deploy redirection attacks, we’ll see that Dridex has been gradually reducing the number of these attacks or removing them completely. The same applies to the GozNym Trojan, which reduced its redirection attack ratio to 12 percent and lower in some geographies, per X-Force analysis.

The redirection technique became popular with banking Trojans in 2014, when the Dyre gang started using it to target banks, primarily in the U.K., U.S., Australia and Spain. Although Dyre activity died down in November 2015, the method itself continues to be a success factor for fraud attacks. For example, less than two months after Dyre disappeared, IBM Trusteer reported the Dridex Trojan had launched redirection attacks in the U.K. Next, GozNym launched its own version of the redirection scheme in April 2016. Most recently, TrickBot launched redirection attacks in November 2016 against a list of banks in the U.K.

Redirection attacks can be very effective in tricking bank customers and facilitating online banking fraud. They are considered an advanced modus operandi because they are designed to bypass bank security measures by hijacking the victim to a malicious website before the victim ever reaches the bank’s site. Note that the bank’s website is not being compromised. Rather, clever attackers are creating convincing replicas of bank websites. They even include the bank’s URL and secure sockets layer (SSL) certificate, making it very hard for victims to visually detect any difference. The fraudulent sites are hosted on other servers where attackers can capture credentials and two-factor authentication data to take over the victim’s account.

This attack is most often identified with the resources and capabilities of organized cybergangs that have in-house developers, such as the Dridex crew, because of the extra setup, preparation and maintenance of unique site replicas for each target.

Mitigating TrickBot Attacks

Banks wishing to protect their customers from evolving threats and cybercrime are invited to learn more about IBM Trusteer advanced fraud protection. Additionally, read our malware mitigation article for tips on protecting against malware like TrickBot and other banking Trojans and for staying safer on PC/mobile devices.

IBM X-Force shares TrickBot indicators of compromise (IoCs) on X-Force Exchange. Just type “TrickBot” into the search bar to find all related collections on this malware. Your team can add to TrickBot collections by anonymously sharing additional IoCs on X-Force Exchange, ultimately helping information security professionals fight cybercrime threats in real time, cutting malware’s lifelines.

Learn how to outsmart Fraudsters with Cognitive Fraud Detection

More from Banking & Finance

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.…