The TrickBot Trojan, which emerged in the wild only this summer, continues to widen its attack scope, spreading farther in its target geographies and developing new redirection attacks. The most recent additions to TrickBot’s redirection targets are three Canadian banks.

According to IBM X-Force researchers following the TrickBot Trojan’s ongoing technical advances, the malware operators frequently release new configurations. The gang continues to focus on the U.K. and Australia, but it’s now setting its sights on Canada with enhanced capabilities to attack banks in the country.

Figure 1: TrickBot’s current bank targets — per locale, per URL count (November 2016, IBM Security)

Redirection Attacks, Mafia Style

TrickBot is the fourth known gang-operated banking Trojan to bring redirection attacks to Canada. Redirection attacks first targeted Canadian banks in 2015, when the Dyre malware launched its nefarious web browser manipulation techniques. At the time, Dyre targeted business accounts of a handful of banks in Canada. After Dyre’s disappearance, the Dridex Trojan started using redirections against businesses in Canada. Next, GozNym created redirection attacks designed to target business banking in Canada, and now TrickBot is entering that same turf.

This matters because the only malware operators with the extra resources to build and carry out redirection attacks are the top-known organized cybercrime gangs in the fraud arena today. The fact that all these heavy hitters invest in attacks specific to Canadian banks suggests that they’ll see more attacks, more potential fraud and a level of operational sophistication comparable to organized crime.

These mob-style cybercrime gangs are higher up on the food chain of online fraud than other malware operators, and they are nothing short of devastating to individuals and businesses. To make stolen funds disappear, gangs keep elaborate crews on their payroll, maintaining a large number of foot soldiers to funnel stolen money from one account to another and either act as money mules to cash the funds out.

Recent events in the news, such as the arrest of two Dridex gang members who were caught in October with access to more than 220 compromised U.K. bank accounts and £2.5 million, bring the concept to life. In a larger case made public in November, authorities arrested 14 ex-Dyre and ex-Dridex members who laundered over $13 million in the past two years. In both cases, only the low-level crooks linked with these gangs’ activity were apprehended.

Canada’s Cybercrime Landscape

Given the rising threat from the most sophisticated malware gangs, it’s surprising that the Canadian government has yet to establish a federal reporting agency for financial cybercrime. This makes it rather difficult to tally specific complaints and losses. Overall, statistics from previous years are alarming: Canadian police observed a 40 percent increase in cybercrime incidents around the country between 2011 and 2013. That number has likely risen in the three years since.

Canadian businesses are also struggling with other types of cyberattacks. According to the Ponemon Institute’s “2016 Cost of a Data Breach Study: Canada,” Canada suffered the highest detection and escalation costs. The cost of a breach rose 12.5 percent for Canadian companies, and the average total cost of a breach was $6.03 million in 2016.

Canada weathers attacks from similar cybercrime groups as those observed on the global map. Commercial malware factions top the chart, followed by the organized crime groups that operate malware such as GootKit, Dridex, URLZone, GozNym and others.

Figure 2: Most active malware in Canada by attack volume (November 2016, IBM Security)

TrickBot Takes On Canada

At this time, TrickBot’s activity in Canada is only beginning, but the malware is advancing rapidly and aggressively, according to X-Force researchers. TrickBot’s operators appear to be connected to well-known spamming and infection services, use redirection attacks and seem to have some ties to the Dyre crew. For this reason, we expect to see this malware’s activity increase during the holiday season and into 2017.

For TrickBot indicators of compromise (IOCs), check out — and share — via X-Force Exchange. Banks looking for technology solutions to mitigate threats like TrickBot and other sophisticated malware are invited to learn more about the IBM Trusteer anti-fraud suite. As always, users should reference these security tips to mitigate threats like the TrickBot Trojan and reduce risk.

Read the white paper: How to outsmart Fraudsters with Cognitive Fraud Detection

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today