The TrickBot Trojan has been steadily ramping up its activity this year, going into a rather intensive period of updates and attacks that started in Q2 2017. From the looks of it, TrickBot’s operators have been investing heavily into widening the scope of their attacks and are preparing redirection attacks against banks in 19 different countries.

After adding French and Nordic banks, the latest additions to TrickBot’s target list are Spanish banks. While the malware had previously targeted only one bank in Spain, it now targets six brands in the country, complete with redirection attacks. Some banks on the list are smaller entities, suggesting that TrickBot is keeping a low profile to test out the country’s banking system before moving on to a wider campaign.

Other countries where TrickBot deploys redirection attacks at this time include Australia, Canada, Denmark, Finland, France, Germany, Ireland, Israel, Lithuania, Luxembourg, Netherlands, New Zealand, Norway, Singapore, Spain, Sweden, Switzerland, United Arab Emirates, the U.K. and the U.S. TrickBot is the first and only banking Trojan to cover this many geographies and language zones with redirection schemes, an attack type known to be more resource-intensive to produce and maintain than dynamic webinjection schemes.

Businesses, Investment and Private Banking

TrickBot’s operators continue to focus their efforts on the business sector, investment banking and high net-worth individuals who hold accounts with private banks and wealth management firms. It’s clear that TrickBot is after big money, and it’s important to keep in mind that its operators likely possess the expertise to obtain large amounts of stolen funds, move them on and launder them.

Starting June 2017, IBM X-Force researchers observed that alongside malware such as Dridex, Locky and Jaff, TrickBot’s operators were using the Necurs botnet to deliver their malware in massive email spam infection campaigns that often launch millions of malicious emails a day.

TrickBot has been varying the types of files and attachments it comes inside to evade automated detection. The latest ploy is informing potential victims that they have a verified DocuSign document they need to open.

Why Redirect?

More than just fitting targeted webpages with HTML or JavaScript injections, many of TrickBot’s targets are fitted with customized redirection attacks — the most advanced method to manipulate what victims see on their browsers.

In simple redirection of browsing to a different page, the user sees the switch to the next website and can observe the change in URL. This is not what happens in TrickBot’s case. Malware redirections hijack the victim to a fake website hosted on separate servers before he or she even sees the destination page.

In parallel, the malware contacts the bank’s genuine webpage and keeps a live connection with it. That way, the fake page displays the bank’s correct URL in the address bar, as well as the bank’s genuine digital certificate. The user is unlikely to notice any difference or suspect that he or she reached a malicious site. The only thing that can tip off a victim is an altered flow of events that takes place on the fake site. At that point, the victim should close the browsing window and call his or her bank to inquire about the out-of-the-ordinary process the malware asked them to complete.

The redirection M.O. is used to bypass bank security measures by hijacking the victim to a malicious website before he or she ever reaches the bank’s site. By seamlessly moving infected victims away from the bank’s genuine website, the malware’s operator can switch to using webinjections to steal login details, personally identifiable information (PII) and critical authentication codes on the replica site — all without the bank knowing that the customer’s session has been compromised or discovering the flow of events on the fake site.

Redirection attacks are most often identified with the resources and capabilities of organized cybergangs because of the extra setup required to create and maintain them for each unique target. According to X-Force research, the Trojan redirection technique surfaced in 2014, when the Dyre gang launched it against banks in the U.K.

About TrickBot

TrickBot emerged in August 2016 and launched into a testing and development period in what appears to be a banking Trojan project. This malware is a modular Trojan that bears a striking resemblance to the Dyre Trojan, both in its internal makeup and the infection methods it uses to reach new endpoints.

According to X-Force research, the malware targets banks in over 24 countries across the globe and is ranked seventh in terms of its activity in the financial malware arena. TrickBot now accounts for about 4 percent of attacks on a global scale. I expect to see it rise further this year due to its geographical expansion and increased activity in Q2 and Q3 2017 so far.

Indicators of Compromise

The X-Force Research team recently analyzed the following TrickBot MD5s:

  • 9a1d8e19b0622df7de1e0034e710b5a8
  • 0e09c2aa13515fc10b5e352cbfab37b7

TrickBot is also featured in an ongoing collection on IBM’s X-Force Exchange.

Read the white paper: Cognitive fraud detection fuels adaptable intelligence

More from Banking & Finance

How to Spot a Nefarious Cryptocurrency Platform

Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…