The threat group operating the TrickBot Trojan, the most active banking Trojan family according to IBM X-Force data, has been modifying some of the malware’s modules lately as they continue to deploy their attacks in the wild. As code modifications take place, so do widespread TrickBot campaigns that target a large number of entities across the globe — with Japan becoming a growing target as we approach the holiday season.

Just in Time for the Holidays

TrickBot campaigns have been known to target Western countries and English-speaking geographies, and while the malware also targets other parts of the world, this is the first time we are seeing it focused on Japanese banks.

As Japanese consumers look to kick off their holiday shopping, they should be wary of TrickBot infection campaigns growing in the region, targeting banks, e-commerce sites and cryptocurrency exchange platforms. TrickBot configurations have been loaded with hundreds of targeted URLs, most belonging to banks, but some nontraditional targets in recent lists were also recognized, such as fuel cards, a hotel chain and an industrial supply company, to name a few.

Campaigns in Japan have been leveraging malicious spam and distribution by the Emotet botnet to drop TrickBot onto user devices. The predominant attack mode involves web injections on banking websites that lead to eventual online banking fraud. On-the-fly injections pulled in real time from the attacker’s server are a TrickBot staple that traditionally lures victims into divulging personally identifiable information (PII), payment card details and PIN codes, as well as transaction authorization elements.

Figure 1: TrickBot campaign targets by service type (Source: IBM X-Force)

This shift of TrickBot attacks targeting Japan is not the first time we have seen malware attributed to Eastern European gangs reach the country. Previous banking Trojans, such as URLZone and Gozi (Ursnif), have been active in Japan for years now.

Figure 2: Geo-targeting of recent TrickBot campaigns per brand’s location (Source: IBM X-Force)

Japanese Businesses Beware: TrickBot Can Usher in Ryuk Ransomware Attacks

TrickBot infections are a worrying trend on their own, but amid the growing concern over ransomware, Japanese companies should also remain vigilant about the potential of TrickBot attacks turning into Ryuk ransomware attacks. A kill chain that begins with Emotet and TrickBot infections has been known to result in Ryuk attacks, widespread ransomware infections that can paralyze organizations and extort them with demands of millions of dollars in ransom money.

Figure 3: An example kill chain that involves Emotet and TrickBot infections

More About TrickBot

TrickBot emerged in August 2016 and launched into a testing and development period. The malware started out with a striking resemblance to the Dyre Trojan in its internal configuration, attack tactics and the infection methods it used to reach new endpoints. Over time, TrickBot rapidly evolved and spread out to different parts of the world, boasting the ability to operate in a number of language-specific geographies, use redirection attacks and continuously progress on the code level, adding and retiring modules in line with its operator’s cybercrime objectives.

Banking Trojans have gradually become the go-to business of organized crime groups over the past decade, evolving into increasingly stealthy and sophisticated codes. The global chart of the top, most-active malware in this class features TrickBot at the leading position, followed by similar groups that operate Gozi, Ramnit and IcedID — all of which are modular Trojans being used by organized crime groups.

Figure 4: Top banking Trojan families per attempted infection volume (Source: IBM X-Force)

Tips for Mitigating the Risk of TrickBot Infections

Avoiding malware infections is an ongoing battle that organizations engage in through employee education and security controls. Here are some tips from our team that can help businesses focus on threat-centric prevention and response:

  • Malware often looks for an unpatched system. Keep tight control of OS and application update schedules. Don’t skip on patching as close as possible to patch releases. Segregate and use compensating controls on assets that cannot be patched.
  • Layer relevant security controls to detect malware, such as antivirus, embedded malware detection, email security and filtering known malicious communication resources.
  • Use role-based training to inform accounting staff about TrickBot attacks, business email compromise and wire-fraud tactics.
  • For known malicious IPs, and those related to malware like TrickBot, blacklist URLs and IP-based indicators of compromise (IoCs) at the firewall, intrusion detection system (IDS), web gateways, routers or other perimeter security devices.
  • Escalate suspicious events to your incident response team, especially if communication with known bad IPs is taking place.
  • To better respond to potential ransomware attacks, create and maintain a backup program that will ensure data redundancy on and offline, as well as periodic testing to provide a way to recover from possible attacks by using up-to-date backups.

If your team suspects a TrickBot or Ryuk infection spreading, do not wait to launch incident response plans to contain and begin remediation. If your organization is in need of response assistance, please contact the X-Force Incident Response and Intelligence Services (IRIS) hotline — U.S. hotline: 1-888-241-9812 | Global hotline: (+001) 602-220-1440.

Learn more about fraud protection

More from Banking & Finance

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today