IBM X-Force research follows organized cybercrime and continually monitors the criminals’ targets and modus operandi. In a recent analysis of TrickBot campaigns in the U.K., Australia and Germany, I found that the operators of the infamous Trojan have been adding new redirection attacks focused on a list of brands that I had never seen in the past.

Curious about this addition to the TrickBot prime target roster, I went on to examine each URL, only to find out that the operators have been doing a lot of homework. The current configuration files are replete with private banks, private wealth management firms, investment banking, and even a retirement insurance and annuity company. One of the new targets is among the oldest banks in the world, located in the U.K.

Figure 1: TrickBot Target URLs by Geographical Location of Targeted Brand (Source: IBM Security)

A Sharpened Focus on Business Banking

TrickBot is sharpening its focus on business banking, too, adding some rare finds to its more usual hit list. A Sharia law-compliant bank, for example, is among the new brands targeted, which is interesting because banking activity consistent with the principles of Sharia law prohibits certain exchanges such as interest fees and investment in business types unacceptable in Islam. I have not seen this bank listed as a mark in the past eight years of analyzing malware targets.

Looking at the configuration, in the U.K., TrickBot has added 20 new private banking brands to its regular attack roster, as well as eight building societies. Also added were two Swiss banks, a few regular expressions for private banking platforms in Germany and four investment banking firms in the U.S. The complete set of targets includes over 300 unique URLs and regular expressions.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

TrickBot Ramping Up Campaigns

In recent weeks, IBM X-Force has been detecting ramped-up TrickBot activity in Australia, New Zealand and the U.K., the operators’ primary target geographies at this time.

The malware has grown from one to three major campaigns per month to five campaigns already in April. It is possible that TrickBot’s operators are increasing their spam runs in the target geographies and attempting to infect more endpoints before going into an attack phase next.

Figure 2: TrickBot Campaigns Ramp Up in April (Source: IBM Security)

In terms of its attack types, TrickBot is quite similar to Dyre. Its signature moves are browser manipulation techniques that enable the malware to implement serverside webinjections and redirection attacks. More details about those techniques appear in our technical blog on TrickBot.

A Rising Threat in 2017

In my December 2016 TrickBot blog, I noted that this malware was one to watch in 2017, and this cybergang is certainly living up to that prediction. The expanded target list, as well as the focus on new brands and high-value account types, means that this nefarious group is setting its sail and likely plans to deploy its crimeware in new territory.

The TrickBot malware emerged in the summer of 2016 and featured some striking resemblances to the Dyre Trojan right off the bat. Within no more than a month of attack activity, TrickBot was fully equipped with redirection attacks that hit banks in three distinct geographical and linguistic zones: the U.K., Germany and Canada. It then moved on to attacking banks in Asia, Australia and New Zealand, the latter two of which were prominent Dyre targets.

As the year progresses, I expect to see TrickBot climb up the global chart of financial malware families, reaching a similar magnitude as the Dridex Trojan and possibly outnumbering Dridex attacks by year’s end.

Figure 3: Top Most Prevalent Financial Malware Families (Source: IBM Security)

Please note that prior to publishing this blog, IBM X-Force notified the concerned parties and provided them with indicators of compromise (IoCs), and information about TrickBot and its attack methods.

TrickBot Collection is available publicly on X-Force Exchange. We studied the following current TrickBot samples for this blog:

• 044F4F4491F3395F3046F60CAEF820C7
• 070BABE9EF7820172ABC450B748EC277
• 08BA011DF60438CCB9462E819E7EC722

Mitigating TrickBot Attacks

Banks looking for technological solutions to mitigate threats such as malware attacks and redirection schemes are invited to learn more about the IBM Security Trusteer Fraud Protection Suite. To learn more about mitigating threats such as the TrickBot Trojan, users can visit our post for tips and advice to apply in everyday browsing.

Read the white paper: Shifting the balance of power with cognitive fraud prevention