IBM X-Force research follows organized cybercrime and continually monitors the criminals’ targets and modus operandi. In a recent analysis of TrickBot campaigns in the U.K., Australia and Germany, I found that the operators of the infamous Trojan have been adding new redirection attacks focused on a list of brands that I had never seen in the past.

Curious about this addition to the TrickBot prime target roster, I went on to examine each URL, only to find out that the operators have been doing a lot of homework. The current configuration files are replete with private banks, private wealth management firms, investment banking, and even a retirement insurance and annuity company. One of the new targets is among the oldest banks in the world, located in the U.K.


Figure 1: TrickBot Target URLs by Geographical Location of Targeted Brand (Source: IBM Security)

A Sharpened Focus on Business Banking

TrickBot is sharpening its focus on business banking, too, adding some rare finds to its more usual hit list. A Sharia law-compliant bank, for example, is among the new brands targeted, which is interesting because banking activity consistent with the principles of Sharia law prohibits certain exchanges such as interest fees and investment in business types unacceptable in Islam. I have not seen this bank listed as a mark in the past eight years of analyzing malware targets.

Looking at the configuration, in the U.K., TrickBot has added 20 new private banking brands to its regular attack roster, as well as eight building societies. Also added were two Swiss banks, a few regular expressions for private banking platforms in Germany and four investment banking firms in the U.S. The complete set of targets includes over 300 unique URLs and regular expressions.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

TrickBot Ramping Up Campaigns

In recent weeks, IBM X-Force has been detecting ramped-up TrickBot activity in Australia, New Zealand and the U.K., the operators’ primary target geographies at this time.

The malware has grown from one to three major campaigns per month to five campaigns already in April. It is possible that TrickBot’s operators are increasing their spam runs in the target geographies and attempting to infect more endpoints before going into an attack phase next.


Figure 2: TrickBot Campaigns Ramp Up in April (Source: IBM Security)

In terms of its attack types, TrickBot is quite similar to Dyre. Its signature moves are browser manipulation techniques that enable the malware to implement serverside webinjections and redirection attacks. More details about those techniques appear in our technical blog on TrickBot.

A Rising Threat in 2017

In my December 2016 TrickBot blog, I noted that this malware was one to watch in 2017, and this cybergang is certainly living up to that prediction. The expanded target list, as well as the focus on new brands and high-value account types, means that this nefarious group is setting its sail and likely plans to deploy its crimeware in new territory.

The TrickBot malware emerged in the summer of 2016 and featured some striking resemblances to the Dyre Trojan right off the bat. Within no more than a month of attack activity, TrickBot was fully equipped with redirection attacks that hit banks in three distinct geographical and linguistic zones: the U.K., Germany and Canada. It then moved on to attacking banks in Asia, Australia and New Zealand, the latter two of which were prominent Dyre targets.

As the year progresses, I expect to see TrickBot climb up the global chart of financial malware families, reaching a similar magnitude as the Dridex Trojan and possibly outnumbering Dridex attacks by year’s end.


Figure 3: Top Most Prevalent Financial Malware Families (Source: IBM Security)

Please note that prior to publishing this blog, IBM X-Force notified the concerned parties and provided them with indicators of compromise (IoCs), and information about TrickBot and its attack methods.

TrickBot Collection is available publicly on X-Force Exchange. We studied the following current TrickBot samples for this blog:

  • 044F4F4491F3395F3046F60CAEF820C7
  • 070BABE9EF7820172ABC450B748EC277
  • 08BA011DF60438CCB9462E819E7EC722

Mitigating TrickBot Attacks

Banks looking for technological solutions to mitigate threats such as malware attacks and redirection schemes are invited to learn more about the IBM Security Trusteer Fraud Protection Suite. To learn more about mitigating threats such as the TrickBot Trojan, users can visit our post for tips and advice to apply in everyday browsing.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

More from Banking & Finance

How the ZeuS Trojan Info Stealer Changed Cybersecurity

4 min read - Information stealer malware is a type of malicious software designed to collect sensitive information from a victim’s computer. Also known as info stealers, data stealers or data-stealing malware, this software is true to its name: after infecting a computer or device, it’s highly adept at exfiltrating login credentials, financial information and personal data. Info stealers typically operate by monitoring keyboard input, capturing screenshots and intercepting network traffic. They may also search a hard drive for specific types of data. The…

4 min read

2022 Industry Threat Recap: Finance and Insurance

5 min read - The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

5 min read

How to Spot a Nefarious Cryptocurrency Platform

4 min read - Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

4 min read

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read