The TrickBot Trojan has been steadily ramping up its activity this year, going into a rather intensive period of updates and attacks that started in Q2 2017. From the looks of it, TrickBot’s operators have been investing heavily into widening the scope of their attacks and are preparing redirection attacks against banks in 19 different countries.
After adding French and Nordic banks, the latest additions to TrickBot’s target list are Spanish banks. While the malware had previously targeted only one bank in Spain, it now targets six brands in the country, complete with redirection attacks. Some banks on the list are smaller entities, suggesting that TrickBot is keeping a low profile to test out the country’s banking system before moving on to a wider campaign.
Other countries where TrickBot deploys redirection attacks at this time include Australia, Canada, Denmark, Finland, France, Germany, Ireland, Israel, Lithuania, Luxembourg, Netherlands, New Zealand, Norway, Singapore, Spain, Sweden, Switzerland, United Arab Emirates, the U.K. and the U.S. TrickBot is the first and only banking Trojan to cover this many geographies and language zones with redirection schemes, an attack type known to be more resource-intensive to produce and maintain than dynamic webinjection schemes.
Businesses, Investment and Private Banking
TrickBot’s operators continue to focus their efforts on the business sector, investment banking and high net-worth individuals who hold accounts with private banks and wealth management firms. It’s clear that TrickBot is after big money, and it’s important to keep in mind that its operators likely possess the expertise to obtain large amounts of stolen funds, move them on and launder them.
Starting June 2017, IBM X-Force researchers observed that alongside malware such as Dridex, Locky and Jaff, TrickBot’s operators were using the Necurs botnet to deliver their malware in massive email spam infection campaigns that often launch millions of malicious emails a day.
TrickBot has been varying the types of files and attachments it comes inside to evade automated detection. The latest ploy is informing potential victims that they have a verified DocuSign document they need to open.
In simple redirection of browsing to a different page, the user sees the switch to the next website and can observe the change in URL. This is not what happens in TrickBot’s case. Malware redirections hijack the victim to a fake website hosted on separate servers before he or she even sees the destination page.
In parallel, the malware contacts the bank’s genuine webpage and keeps a live connection with it. That way, the fake page displays the bank’s correct URL in the address bar, as well as the bank’s genuine digital certificate. The user is unlikely to notice any difference or suspect that he or she reached a malicious site. The only thing that can tip off a victim is an altered flow of events that takes place on the fake site. At that point, the victim should close the browsing window and call his or her bank to inquire about the out-of-the-ordinary process the malware asked them to complete.
The redirection M.O. is used to bypass bank security measures by hijacking the victim to a malicious website before he or she ever reaches the bank’s site. By seamlessly moving infected victims away from the bank’s genuine website, the malware’s operator can switch to using webinjections to steal login details, personally identifiable information (PII) and critical authentication codes on the replica site — all without the bank knowing that the customer’s session has been compromised or discovering the flow of events on the fake site.
Redirection attacks are most often identified with the resources and capabilities of organized cybergangs because of the extra setup required to create and maintain them for each unique target. According to X-Force research, the Trojan redirection technique surfaced in 2014, when the Dyre gang launched it against banks in the U.K.
TrickBot emerged in August 2016 and launched into a testing and development period in what appears to be a banking Trojan project. This malware is a modular Trojan that bears a striking resemblance to the Dyre Trojan, both in its internal makeup and the infection methods it uses to reach new endpoints.
According to X-Force research, the malware targets banks in over 24 countries across the globe and is ranked seventh in terms of its activity in the financial malware arena. TrickBot now accounts for about 4 percent of attacks on a global scale. I expect to see it rise further this year due to its geographical expansion and increased activity in Q2 and Q3 2017 so far.
Indicators of Compromise
The X-Force Research team recently analyzed the following TrickBot MD5s:
TrickBot is also featured in an ongoing collection on IBM’s X-Force Exchange.