The TrickBot Trojan emerged in October 2016 as new banking malware, boasting a code that appears to have more than one feature in common with the Dyre Trojan. From its very early days, TrickBot already possessed the capability to launch redirection attacks, and judging by its rapid development, IBM X-Force researchers believe it is poised to become a rising cybercrime threat in 2017.
X-Force researchers following TrickBot’s evolution noted that the malware’s new configurations have recently expanded to include new targets in countries where TrickBot is already operating, such as Australia, the U.K., New Zealand and Germany. But beyond the existing geographies, TrickBot now deploys redirection attacks in Singapore, India and Malaysia.
Figure 1: TrickBot’s current targets by location. (Source: IBM)
Old Tricks, New Country
TrickBot is not the first malware to head for Singapore right after it hits English-speaking geographies. The small yet prosperous country has been seeing increasing interest from cybercrime gangs — especially Dridex, but also Dyre, Neverquest and Tinba, to name a few, per IBM X-Force.
Although it is primarily a Chinese-speaking country, the thriving growth of international business in Singapore is driving most organizations to also communicate in English. And since most malware campaigns are launched in English, cybercrime gangs don’t have to invest much into adapting their spam and tools in Singapore.
Furthermore, the perpetual rise of multinational corporations conducting business in Singapore makes the region even riper for financial cyberattacks due to a constant rise in the type of high-value accounts. According to X-Force researchers, TrickBot focuses its attacks on business accounts, corporate and commercial banking, and wealth management across all targeted banks.
Figure 2: TrickBot’s current targets per service type. (Source: IBM)
TrickBot’s recent configurations also target commercial banks in India and Malaysia, which may mean that the gang is looking to create cash-out options in those countries, judging by its growing focus on the Asia-Pacific region.
Redirection Attacks Dominate
TrickBot’s operators are apparently working hard to create new redirection attacks for the malware. In the most recent configuration, the ratio of redirection attack in the configuration was adapted to 58 percent of the URLs targeted by the malware. In comparison, the previous configuration only featured redirections for 35 percent of the target URLs.
Figure 3: TrickBot’s current attack M.O. per configuration file. (Source: IBM)
If we compare TrickBot to other Trojans that deploy redirection attacks, we’ll see that Dridex has been gradually reducing the number of these attacks or removing them completely. The same applies to the GozNym Trojan, which reduced its redirection attack ratio to 12 percent and lower in some geographies, per X-Force analysis.
The redirection technique became popular with banking Trojans in 2014, when the Dyre gang started using it to target banks, primarily in the U.K., U.S., Australia and Spain. Although Dyre activity died down in November 2015, the method itself continues to be a success factor for fraud attacks. For example, less than two months after Dyre disappeared, IBM Trusteer reported the Dridex Trojan had launched redirection attacks in the U.K. Next, GozNym launched its own version of the redirection scheme in April 2016. Most recently, TrickBot launched redirection attacks in November 2016 against a list of banks in the U.K.
Redirection attacks can be very effective in tricking bank customers and facilitating online banking fraud. They are considered an advanced modus operandi because they are designed to bypass bank security measures by hijacking the victim to a malicious website before the victim ever reaches the bank’s site. Note that the bank’s website is not being compromised. Rather, clever attackers are creating convincing replicas of bank websites. They even include the bank’s URL and secure sockets layer (SSL) certificate, making it very hard for victims to visually detect any difference. The fraudulent sites are hosted on other servers where attackers can capture credentials and two-factor authentication data to take over the victim’s account.
This attack is most often identified with the resources and capabilities of organized cybergangs that have in-house developers, such as the Dridex crew, because of the extra setup, preparation and maintenance of unique site replicas for each target.
Mitigating TrickBot Attacks
Banks wishing to protect their customers from evolving threats and cybercrime are invited to learn more about IBM Trusteer advanced fraud protection. Additionally, read our malware mitigation article for tips on protecting against malware like TrickBot and other banking Trojans and for staying safer on PC/mobile devices.
IBM X-Force shares TrickBot indicators of compromise (IoCs) on X-Force Exchange. Just type “TrickBot” into the search bar to find all related collections on this malware. Your team can add to TrickBot collections by anonymously sharing additional IoCs on X-Force Exchange, ultimately helping information security professionals fight cybercrime threats in real time, cutting malware’s lifelines.