The TrickBot Trojan emerged in October 2016 as new banking malware, boasting a code that appears to have more than one feature in common with the Dyre Trojan. From its very early days, TrickBot already possessed the capability to launch redirection attacks, and judging by its rapid development, IBM X-Force researchers believe it is poised to become a rising cybercrime threat in 2017.

X-Force researchers following TrickBot’s evolution noted that the malware’s new configurations have recently expanded to include new targets in countries where TrickBot is already operating, such as Australia, the U.K., New Zealand and Germany. But beyond the existing geographies, TrickBot now deploys redirection attacks in Singapore, India and Malaysia.

Figure 1: TrickBot’s current targets by location. (Source: IBM)

Old Tricks, New Country

TrickBot is not the first malware to head for Singapore right after it hits English-speaking geographies. The small yet prosperous country has been seeing increasing interest from cybercrime gangs — especially Dridex, but also Dyre, Neverquest and Tinba, to name a few, per IBM X-Force.

Although it is primarily a Chinese-speaking country, the thriving growth of international business in Singapore is driving most organizations to also communicate in English. And since most malware campaigns are launched in English, cybercrime gangs don’t have to invest much into adapting their spam and tools in Singapore.

Furthermore, the perpetual rise of multinational corporations conducting business in Singapore makes the region even riper for financial cyberattacks due to a constant rise in the type of high-value accounts. According to X-Force researchers, TrickBot focuses its attacks on business accounts, corporate and commercial banking, and wealth management across all targeted banks.

Figure 2: TrickBot’s current targets per service type. (Source: IBM)

TrickBot’s recent configurations also target commercial banks in India and Malaysia, which may mean that the gang is looking to create cash-out options in those countries, judging by its growing focus on the Asia-Pacific region.

Read the white paper: How to outsmart Fraudsters with Cognitive Fraud Detection

Redirection Attacks Dominate

TrickBot’s operators are apparently working hard to create new redirection attacks for the malware. In the most recent configuration, the ratio of redirection attack in the configuration was adapted to 58 percent of the URLs targeted by the malware. In comparison, the previous configuration only featured redirections for 35 percent of the target URLs.

Figure 3: TrickBot’s current attack M.O. per configuration file. (Source: IBM)

If we compare TrickBot to other Trojans that deploy redirection attacks, we’ll see that Dridex has been gradually reducing the number of these attacks or removing them completely. The same applies to the GozNym Trojan, which reduced its redirection attack ratio to 12 percent and lower in some geographies, per X-Force analysis.

The redirection technique became popular with banking Trojans in 2014, when the Dyre gang started using it to target banks, primarily in the U.K., U.S., Australia and Spain. Although Dyre activity died down in November 2015, the method itself continues to be a success factor for fraud attacks. For example, less than two months after Dyre disappeared, IBM Trusteer reported the Dridex Trojan had launched redirection attacks in the U.K. Next, GozNym launched its own version of the redirection scheme in April 2016. Most recently, TrickBot launched redirection attacks in November 2016 against a list of banks in the U.K.

Redirection attacks can be very effective in tricking bank customers and facilitating online banking fraud. They are considered an advanced modus operandi because they are designed to bypass bank security measures by hijacking the victim to a malicious website before the victim ever reaches the bank’s site. Note that the bank’s website is not being compromised. Rather, clever attackers are creating convincing replicas of bank websites. They even include the bank’s URL and secure sockets layer (SSL) certificate, making it very hard for victims to visually detect any difference. The fraudulent sites are hosted on other servers where attackers can capture credentials and two-factor authentication data to take over the victim’s account.

This attack is most often identified with the resources and capabilities of organized cybergangs that have in-house developers, such as the Dridex crew, because of the extra setup, preparation and maintenance of unique site replicas for each target.

Mitigating TrickBot Attacks

Banks wishing to protect their customers from evolving threats and cybercrime are invited to learn more about IBM Trusteer advanced fraud protection. Additionally, read our malware mitigation article for tips on protecting against malware like TrickBot and other banking Trojans and for staying safer on PC/mobile devices.

IBM X-Force shares TrickBot indicators of compromise (IoCs) on X-Force Exchange. Just type “TrickBot” into the search bar to find all related collections on this malware. Your team can add to TrickBot collections by anonymously sharing additional IoCs on X-Force Exchange, ultimately helping information security professionals fight cybercrime threats in real time, cutting malware’s lifelines.

Learn how to outsmart Fraudsters with Cognitive Fraud Detection

More from Banking & Finance

How the ZeuS Trojan Info Stealer Changed Cybersecurity

4 min read - Information stealer malware is a type of malicious software designed to collect sensitive information from a victim’s computer. Also known as info stealers, data stealers or data-stealing malware, this software is true to its name: after infecting a computer or device, it’s highly adept at exfiltrating login credentials, financial information and personal data. Info stealers typically operate by monitoring keyboard input, capturing screenshots and intercepting network traffic. They may also search a hard drive for specific types of data. The…

4 min read

2022 Industry Threat Recap: Finance and Insurance

5 min read - The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

5 min read

How to Spot a Nefarious Cryptocurrency Platform

4 min read - Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

4 min read

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read