The threat group operating the TrickBot Trojan, the most active banking Trojan family according to IBM X-Force data, has been modifying some of the malware’s modules lately as they continue to deploy their attacks in the wild. As code modifications take place, so do widespread TrickBot campaigns that target a large number of entities across the globe — with Japan becoming a growing target as we approach the holiday season.

Just in Time for the Holidays

TrickBot campaigns have been known to target Western countries and English-speaking geographies, and while the malware also targets other parts of the world, this is the first time we are seeing it focused on Japanese banks.

As Japanese consumers look to kick off their holiday shopping, they should be wary of TrickBot infection campaigns growing in the region, targeting banks, e-commerce sites and cryptocurrency exchange platforms. TrickBot configurations have been loaded with hundreds of targeted URLs, most belonging to banks, but some nontraditional targets in recent lists were also recognized, such as fuel cards, a hotel chain and an industrial supply company, to name a few.

Campaigns in Japan have been leveraging malicious spam and distribution by the Emotet botnet to drop TrickBot onto user devices. The predominant attack mode involves web injections on banking websites that lead to eventual online banking fraud. On-the-fly injections pulled in real time from the attacker’s server are a TrickBot staple that traditionally lures victims into divulging personally identifiable information (PII), payment card details and PIN codes, as well as transaction authorization elements.

Figure 1: TrickBot campaign targets by service type (Source: IBM X-Force)

This shift of TrickBot attacks targeting Japan is not the first time we have seen malware attributed to Eastern European gangs reach the country. Previous banking Trojans, such as URLZone and Gozi (Ursnif), have been active in Japan for years now.

Figure 2: Geo-targeting of recent TrickBot campaigns per brand’s location (Source: IBM X-Force)

Japanese Businesses Beware: TrickBot Can Usher in Ryuk Ransomware Attacks

TrickBot infections are a worrying trend on their own, but amid the growing concern over ransomware, Japanese companies should also remain vigilant about the potential of TrickBot attacks turning into Ryuk ransomware attacks. A kill chain that begins with Emotet and TrickBot infections has been known to result in Ryuk attacks, widespread ransomware infections that can paralyze organizations and extort them with demands of millions of dollars in ransom money.

Figure 3: An example kill chain that involves Emotet and TrickBot infections

More About TrickBot

TrickBot emerged in August 2016 and launched into a testing and development period. The malware started out with a striking resemblance to the Dyre Trojan in its internal configuration, attack tactics and the infection methods it used to reach new endpoints. Over time, TrickBot rapidly evolved and spread out to different parts of the world, boasting the ability to operate in a number of language-specific geographies, use redirection attacks and continuously progress on the code level, adding and retiring modules in line with its operator’s cybercrime objectives.

Banking Trojans have gradually become the go-to business of organized crime groups over the past decade, evolving into increasingly stealthy and sophisticated codes. The global chart of the top, most-active malware in this class features TrickBot at the leading position, followed by similar groups that operate Gozi, Ramnit and IcedID — all of which are modular Trojans being used by organized crime groups.

Figure 4: Top banking Trojan families per attempted infection volume (Source: IBM X-Force)

Tips for Mitigating the Risk of TrickBot Infections

Avoiding malware infections is an ongoing battle that organizations engage in through employee education and security controls. Here are some tips from our team that can help businesses focus on threat-centric prevention and response:

  • Malware often looks for an unpatched system. Keep tight control of OS and application update schedules. Don’t skip on patching as close as possible to patch releases. Segregate and use compensating controls on assets that cannot be patched.
  • Layer relevant security controls to detect malware, such as antivirus, embedded malware detection, email security and filtering known malicious communication resources.
  • Use role-based training to inform accounting staff about TrickBot attacks, business email compromise and wire-fraud tactics.
  • For known malicious IPs, and those related to malware like TrickBot, blacklist URLs and IP-based indicators of compromise (IoCs) at the firewall, intrusion detection system (IDS), web gateways, routers or other perimeter security devices.
  • Escalate suspicious events to your incident response team, especially if communication with known bad IPs is taking place.
  • To better respond to potential ransomware attacks, create and maintain a backup program that will ensure data redundancy on and offline, as well as periodic testing to provide a way to recover from possible attacks by using up-to-date backups.

If your team suspects a TrickBot or Ryuk infection spreading, do not wait to launch incident response plans to contain and begin remediation. If your organization is in need of response assistance, please contact the X-Force Incident Response and Intelligence Services (IRIS) hotline — U.S. hotline: 1-888-241-9812 | Global hotline: (+001) 602-220-1440.

Learn more about fraud protection

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today