The TrickBot Trojan emerged in October 2016 as new banking malware, boasting a code that appears to have more than one feature in common with the Dyre Trojan. From its very early days, TrickBot already possessed the capability to launch redirection attacks, and judging by its rapid development, IBM X-Force researchers believe it is poised to become a rising cybercrime threat in 2017.

X-Force researchers following TrickBot’s evolution noted that the malware’s new configurations have recently expanded to include new targets in countries where TrickBot is already operating, such as Australia, the U.K., New Zealand and Germany. But beyond the existing geographies, TrickBot now deploys redirection attacks in Singapore, India and Malaysia.

Figure 1: TrickBot’s current targets by location. (Source: IBM)

Old Tricks, New Country

TrickBot is not the first malware to head for Singapore right after it hits English-speaking geographies. The small yet prosperous country has been seeing increasing interest from cybercrime gangs — especially Dridex, but also Dyre, Neverquest and Tinba, to name a few, per IBM X-Force.

Although it is primarily a Chinese-speaking country, the thriving growth of international business in Singapore is driving most organizations to also communicate in English. And since most malware campaigns are launched in English, cybercrime gangs don’t have to invest much into adapting their spam and tools in Singapore.

Furthermore, the perpetual rise of multinational corporations conducting business in Singapore makes the region even riper for financial cyberattacks due to a constant rise in the type of high-value accounts. According to X-Force researchers, TrickBot focuses its attacks on business accounts, corporate and commercial banking, and wealth management across all targeted banks.

Figure 2: TrickBot’s current targets per service type. (Source: IBM)

TrickBot’s recent configurations also target commercial banks in India and Malaysia, which may mean that the gang is looking to create cash-out options in those countries, judging by its growing focus on the Asia-Pacific region.

Read the white paper: How to outsmart Fraudsters with Cognitive Fraud Detection

Redirection Attacks Dominate

TrickBot’s operators are apparently working hard to create new redirection attacks for the malware. In the most recent configuration, the ratio of redirection attack in the configuration was adapted to 58 percent of the URLs targeted by the malware. In comparison, the previous configuration only featured redirections for 35 percent of the target URLs.

Figure 3: TrickBot’s current attack M.O. per configuration file. (Source: IBM)

If we compare TrickBot to other Trojans that deploy redirection attacks, we’ll see that Dridex has been gradually reducing the number of these attacks or removing them completely. The same applies to the GozNym Trojan, which reduced its redirection attack ratio to 12 percent and lower in some geographies, per X-Force analysis.

The redirection technique became popular with banking Trojans in 2014, when the Dyre gang started using it to target banks, primarily in the U.K., U.S., Australia and Spain. Although Dyre activity died down in November 2015, the method itself continues to be a success factor for fraud attacks. For example, less than two months after Dyre disappeared, IBM Trusteer reported the Dridex Trojan had launched redirection attacks in the U.K. Next, GozNym launched its own version of the redirection scheme in April 2016. Most recently, TrickBot launched redirection attacks in November 2016 against a list of banks in the U.K.

Redirection attacks can be very effective in tricking bank customers and facilitating online banking fraud. They are considered an advanced modus operandi because they are designed to bypass bank security measures by hijacking the victim to a malicious website before the victim ever reaches the bank’s site. Note that the bank’s website is not being compromised. Rather, clever attackers are creating convincing replicas of bank websites. They even include the bank’s URL and secure sockets layer (SSL) certificate, making it very hard for victims to visually detect any difference. The fraudulent sites are hosted on other servers where attackers can capture credentials and two-factor authentication data to take over the victim’s account.

This attack is most often identified with the resources and capabilities of organized cybergangs that have in-house developers, such as the Dridex crew, because of the extra setup, preparation and maintenance of unique site replicas for each target.

Mitigating TrickBot Attacks

Banks wishing to protect their customers from evolving threats and cybercrime are invited to learn more about IBM Trusteer advanced fraud protection. Additionally, read our malware mitigation article for tips on protecting against malware like TrickBot and other banking Trojans and for staying safer on PC/mobile devices.

IBM X-Force shares TrickBot indicators of compromise (IoCs) on X-Force Exchange. Just type “TrickBot” into the search bar to find all related collections on this malware. Your team can add to TrickBot collections by anonymously sharing additional IoCs on X-Force Exchange, ultimately helping information security professionals fight cybercrime threats in real time, cutting malware’s lifelines.

Learn how to outsmart Fraudsters with Cognitive Fraud Detection

More from Fraud Protection

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today