The threat group operating the TrickBot Trojan, the most active banking Trojan family according to IBM X-Force data, has been modifying some of the malware’s modules lately as they continue to deploy their attacks in the wild. As code modifications take place, so do widespread TrickBot campaigns that target a large number of entities across the globe — with Japan becoming a growing target as we approach the holiday season.

Just in Time for the Holidays

TrickBot campaigns have been known to target Western countries and English-speaking geographies, and while the malware also targets other parts of the world, this is the first time we are seeing it focused on Japanese banks.

As Japanese consumers look to kick off their holiday shopping, they should be wary of TrickBot infection campaigns growing in the region, targeting banks, e-commerce sites and cryptocurrency exchange platforms. TrickBot configurations have been loaded with hundreds of targeted URLs, most belonging to banks, but some nontraditional targets in recent lists were also recognized, such as fuel cards, a hotel chain and an industrial supply company, to name a few.

Campaigns in Japan have been leveraging malicious spam and distribution by the Emotet botnet to drop TrickBot onto user devices. The predominant attack mode involves web injections on banking websites that lead to eventual online banking fraud. On-the-fly injections pulled in real time from the attacker’s server are a TrickBot staple that traditionally lures victims into divulging personally identifiable information (PII), payment card details and PIN codes, as well as transaction authorization elements.

Figure 1: TrickBot campaign targets by service type (Source: IBM X-Force)

This shift of TrickBot attacks targeting Japan is not the first time we have seen malware attributed to Eastern European gangs reach the country. Previous banking Trojans, such as URLZone and Gozi (Ursnif), have been active in Japan for years now.

Figure 2: Geo-targeting of recent TrickBot campaigns per brand’s location (Source: IBM X-Force)

Japanese Businesses Beware: TrickBot Can Usher in Ryuk Ransomware Attacks

TrickBot infections are a worrying trend on their own, but amid the growing concern over ransomware, Japanese companies should also remain vigilant about the potential of TrickBot attacks turning into Ryuk ransomware attacks. A kill chain that begins with Emotet and TrickBot infections has been known to result in Ryuk attacks, widespread ransomware infections that can paralyze organizations and extort them with demands of millions of dollars in ransom money.

Figure 3: An example kill chain that involves Emotet and TrickBot infections

More About TrickBot

TrickBot emerged in August 2016 and launched into a testing and development period. The malware started out with a striking resemblance to the Dyre Trojan in its internal configuration, attack tactics and the infection methods it used to reach new endpoints. Over time, TrickBot rapidly evolved and spread out to different parts of the world, boasting the ability to operate in a number of language-specific geographies, use redirection attacks and continuously progress on the code level, adding and retiring modules in line with its operator’s cybercrime objectives.

Banking Trojans have gradually become the go-to business of organized crime groups over the past decade, evolving into increasingly stealthy and sophisticated codes. The global chart of the top, most-active malware in this class features TrickBot at the leading position, followed by similar groups that operate Gozi, Ramnit and IcedID — all of which are modular Trojans being used by organized crime groups.

Figure 4: Top banking Trojan families per attempted infection volume (Source: IBM X-Force)

Tips for Mitigating the Risk of TrickBot Infections

Avoiding malware infections is an ongoing battle that organizations engage in through employee education and security controls. Here are some tips from our team that can help businesses focus on threat-centric prevention and response:

  • Malware often looks for an unpatched system. Keep tight control of OS and application update schedules. Don’t skip on patching as close as possible to patch releases. Segregate and use compensating controls on assets that cannot be patched.
  • Layer relevant security controls to detect malware, such as antivirus, embedded malware detection, email security and filtering known malicious communication resources.
  • Use role-based training to inform accounting staff about TrickBot attacks, business email compromise and wire-fraud tactics.
  • For known malicious IPs, and those related to malware like TrickBot, blacklist URLs and IP-based indicators of compromise (IoCs) at the firewall, intrusion detection system (IDS), web gateways, routers or other perimeter security devices.
  • Escalate suspicious events to your incident response team, especially if communication with known bad IPs is taking place.
  • To better respond to potential ransomware attacks, create and maintain a backup program that will ensure data redundancy on and offline, as well as periodic testing to provide a way to recover from possible attacks by using up-to-date backups.

If your team suspects a TrickBot or Ryuk infection spreading, do not wait to launch incident response plans to contain and begin remediation. If your organization is in need of response assistance, please contact the X-Force Incident Response and Intelligence Services (IRIS) hotline — U.S. hotline: 1-888-241-9812 | Global hotline: (+001) 602-220-1440.

Learn more about fraud protection

More from Banking & Finance

How to Spot a Nefarious Cryptocurrency Platform

Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…