November 23, 2016 By Limor Kessem 3 min read

The TrickBot Trojan, which emerged in the wild only this summer, continues to widen its attack scope, spreading farther in its target geographies and developing new redirection attacks. The most recent additions to TrickBot’s redirection targets are three Canadian banks.

According to IBM X-Force researchers following the TrickBot Trojan’s ongoing technical advances, the malware operators frequently release new configurations. The gang continues to focus on the U.K. and Australia, but it’s now setting its sights on Canada with enhanced capabilities to attack banks in the country.

Figure 1: TrickBot’s current bank targets — per locale, per URL count (November 2016, IBM Security)

Redirection Attacks, Mafia Style

TrickBot is the fourth known gang-operated banking Trojan to bring redirection attacks to Canada. Redirection attacks first targeted Canadian banks in 2015, when the Dyre malware launched its nefarious web browser manipulation techniques. At the time, Dyre targeted business accounts of a handful of banks in Canada. After Dyre’s disappearance, the Dridex Trojan started using redirections against businesses in Canada. Next, GozNym created redirection attacks designed to target business banking in Canada, and now TrickBot is entering that same turf.

This matters because the only malware operators with the extra resources to build and carry out redirection attacks are the top-known organized cybercrime gangs in the fraud arena today. The fact that all these heavy hitters invest in attacks specific to Canadian banks suggests that they’ll see more attacks, more potential fraud and a level of operational sophistication comparable to organized crime.

These mob-style cybercrime gangs are higher up on the food chain of online fraud than other malware operators, and they are nothing short of devastating to individuals and businesses. To make stolen funds disappear, gangs keep elaborate crews on their payroll, maintaining a large number of foot soldiers to funnel stolen money from one account to another and either act as money mules to cash the funds out.

Recent events in the news, such as the arrest of two Dridex gang members who were caught in October with access to more than 220 compromised U.K. bank accounts and £2.5 million, bring the concept to life. In a larger case made public in November, authorities arrested 14 ex-Dyre and ex-Dridex members who laundered over $13 million in the past two years. In both cases, only the low-level crooks linked with these gangs’ activity were apprehended.

Canada’s Cybercrime Landscape

Given the rising threat from the most sophisticated malware gangs, it’s surprising that the Canadian government has yet to establish a federal reporting agency for financial cybercrime. This makes it rather difficult to tally specific complaints and losses. Overall, statistics from previous years are alarming: Canadian police observed a 40 percent increase in cybercrime incidents around the country between 2011 and 2013. That number has likely risen in the three years since.

Canadian businesses are also struggling with other types of cyberattacks. According to the Ponemon Institute’s “2016 Cost of a Data Breach Study: Canada,” Canada suffered the highest detection and escalation costs. The cost of a breach rose 12.5 percent for Canadian companies, and the average total cost of a breach was $6.03 million in 2016.

Canada weathers attacks from similar cybercrime groups as those observed on the global map. Commercial malware factions top the chart, followed by the organized crime groups that operate malware such as GootKit, Dridex, URLZone, GozNym and others.

Figure 2: Most active malware in Canada by attack volume (November 2016, IBM Security)

TrickBot Takes On Canada

At this time, TrickBot’s activity in Canada is only beginning, but the malware is advancing rapidly and aggressively, according to X-Force researchers. TrickBot’s operators appear to be connected to well-known spamming and infection services, use redirection attacks and seem to have some ties to the Dyre crew. For this reason, we expect to see this malware’s activity increase during the holiday season and into 2017.

For TrickBot indicators of compromise (IOCs), check out — and share — via X-Force Exchange. Banks looking for technology solutions to mitigate threats like TrickBot and other sophisticated malware are invited to learn more about the IBM Trusteer anti-fraud suite. As always, users should reference these security tips to mitigate threats like the TrickBot Trojan and reduce risk.

Read the white paper: How to outsmart Fraudsters with Cognitive Fraud Detection

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today