Light Dark
April 27, 2017 By Limor Kessem 4 min read
Malware
Banking & Finance
Fraud Protection
Threat Intelligence

IBM X-Force research follows organized cybercrime and continually monitors the criminals’ targets and modus operandi. In a recent analysis of TrickBot campaigns in the U.K., Australia and Germany, I found that the operators of the infamous Trojan have been adding new redirection attacks focused on a list of brands that I had never seen in the past.

Curious about this addition to the TrickBot prime target roster, I went on to examine each URL, only to find out that the operators have been doing a lot of homework. The current configuration files are replete with private banks, private wealth management firms, investment banking, and even a retirement insurance and annuity company. One of the new targets is among the oldest banks in the world, located in the U.K.


Figure 1: TrickBot Target URLs by Geographical Location of Targeted Brand (Source: IBM Security)

A Sharpened Focus on Business Banking

TrickBot is sharpening its focus on business banking, too, adding some rare finds to its more usual hit list. A Sharia law-compliant bank, for example, is among the new brands targeted, which is interesting because banking activity consistent with the principles of Sharia law prohibits certain exchanges such as interest fees and investment in business types unacceptable in Islam. I have not seen this bank listed as a mark in the past eight years of analyzing malware targets.

Looking at the configuration, in the U.K., TrickBot has added 20 new private banking brands to its regular attack roster, as well as eight building societies. Also added were two Swiss banks, a few regular expressions for private banking platforms in Germany and four investment banking firms in the U.S. The complete set of targets includes over 300 unique URLs and regular expressions.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

TrickBot Ramping Up Campaigns

In recent weeks, IBM X-Force has been detecting ramped-up TrickBot activity in Australia, New Zealand and the U.K., the operators’ primary target geographies at this time.

The malware has grown from one to three major campaigns per month to five campaigns already in April. It is possible that TrickBot’s operators are increasing their spam runs in the target geographies and attempting to infect more endpoints before going into an attack phase next.


Figure 2: TrickBot Campaigns Ramp Up in April (Source: IBM Security)

In terms of its attack types, TrickBot is quite similar to Dyre. Its signature moves are browser manipulation techniques that enable the malware to implement serverside webinjections and redirection attacks. More details about those techniques appear in our technical blog on TrickBot.

A Rising Threat in 2017

In my December 2016 TrickBot blog, I noted that this malware was one to watch in 2017, and this cybergang is certainly living up to that prediction. The expanded target list, as well as the focus on new brands and high-value account types, means that this nefarious group is setting its sail and likely plans to deploy its crimeware in new territory.

The TrickBot malware emerged in the summer of 2016 and featured some striking resemblances to the Dyre Trojan right off the bat. Within no more than a month of attack activity, TrickBot was fully equipped with redirection attacks that hit banks in three distinct geographical and linguistic zones: the U.K., Germany and Canada. It then moved on to attacking banks in Asia, Australia and New Zealand, the latter two of which were prominent Dyre targets.

As the year progresses, I expect to see TrickBot climb up the global chart of financial malware families, reaching a similar magnitude as the Dridex Trojan and possibly outnumbering Dridex attacks by year’s end.


Figure 3: Top Most Prevalent Financial Malware Families (Source: IBM Security)

Please note that prior to publishing this blog, IBM X-Force notified the concerned parties and provided them with indicators of compromise (IoCs), and information about TrickBot and its attack methods.

TrickBot Collection is available publicly on X-Force Exchange. We studied the following current TrickBot samples for this blog:

  • 044F4F4491F3395F3046F60CAEF820C7
  • 070BABE9EF7820172ABC450B748EC277
  • 08BA011DF60438CCB9462E819E7EC722

Mitigating TrickBot Attacks

Banks looking for technological solutions to mitigate threats such as malware attacks and redirection schemes are invited to learn more about the IBM Security Trusteer Fraud Protection Suite. To learn more about mitigating threats such as the TrickBot Trojan, users can visit our post for tips and advice to apply in everyday browsing.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

 |  |  |  |  |  |  | 
Limor Kessem
Principal Consultant, X-Force Cyber Crisis Management, IBM

More from Malware
March 11, 2024

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature