Light Dark
June 20, 2017 By Limor Kessem
Matan Meir
5 min read
Malware
Banking & Finance
Fraud Protection
Threat Intelligence

IBM X-Force Research detected a new wave of TrickBot attacks targeting banks in Nordic countries. The malware expanded its configurations to launch fraud attacks against banks in Sweden, Finland, Norway, Denmark and Iceland, among the other geographies it targets.

Moreover, the malware, which has been testing redirection attacks on one bank in France, now targets 28 brands in the country, focusing on corporate, investment and private banking firms.

TrickBot Takes Aim at New Targets

The TrickBot banking Trojan’s operators have been working hard this year, employing sophisticated redirection attacks against banks across the globe. IBM X-Force data revealed that they also doubled their activity between the first two quarters of 2017, modifying the code to evade detection and launching infection campaigns in different parts of the world.

Aside from the Nordics and France, TrickBot configurations target banks in 24 countries, including:

  • U.K. (36 percent);
  • France (10 percent);
  • Sweden (9 percent);
  • Switzerland (6 percent);
  • U.S. (6 percent);
  • Finland (6 percent);
  • Norway (5 percent);
  • Canada (4 percent);
  • Australia (4 percent);
  • Ireland (2 percent);
  • Denmark (1 percent);
  • Singapore (1 percent);
  • Germany (1 percent);
  • Lebanon (1 percent);
  • Luxembourg (1 percent);
  • Austria (1 percent);
  • Belgium (1 percent);
  • Lithuania (1 percent); and
  • Hong Kong, Bulgaria, Spain, Israel, Iceland and Tahiti (under 1 percent)

Keep in mind, these numbers are for the current campaigns and will change over time. Configuration files are moving parts of any banking Trojan and can be modified rather frequently. TrickBot possesses a dedicated configuration to target banks in Australia, Canada, Germany and the U.S., to name a few.

Read the white paper: Cognitive fraud detection fuels adaptable intelligence

Spreading Out and Changing Tricks

The fact that TrickBot spread into countries with distinctly different languages and banking systems suggests that its operators have the resources to research each target, have been preparing fake websites for the redirection attacks and most likely collaborate with actors based in the various countries the Trojan now targets.

According to X-Force research, massive TrickBot campaigns detected in June 2017 have been leveraging the Necurs botnet, spreading the malware with the same tactics used by Dridex, Locky and Jaff: a poisoned PDF file containing an embedded Microsoft Office productivity file. The Office file, once opened, prompts the victim to enable macros.

The rest of the infection chain is quite similar to recent Dridex infection campaigns: The user enables macros, malicious scripts launch PowerShell, and the payload is eventually fetched and deployed on the target endpoint.

TrickBot’s Multilayer Infection Routine

In the recent malware infection spam that comes through the Necurs botnet, X-Force researchers often noted that malware was layered into a number of different files and scripts before it actually infected the target endpoint. TrickBot is no different, and it comes wrapped up in a few layers.

The infection chain starts when a user opens the PDF file. Users see a message on the screen requiring them to open another attachment, which can be a .doc or .xlsm file.

Source: IBM X-Force Research

If the user opts to open the second file, he or she is asked to enable macros. The macro contains a VBS script that launches as soon as the user enables the action.


Source: IBM X-Force Research

In the sample we analyzed, the PDF contained a weaponized Excel file with an embedded malicious macro. Once run, the script reaches out to a remote website and fetches the payload, which is a TrickBot’s dropper executable. The executable file arrives encoded and is decoded as soon as the download completes.

In the following image, the script is exposed, showing the dropper payload being downloaded.

Source: IBM X-Force Research

Examining the communication logs, we can also see the script contacting the remote resource to fetch the dropper.


Source: IBM X-Force Research

Next, TrickBot downloads a module designed to check the target endpoint’s system specifics, encodes the data and saves that information to a file. The malware then checks for some machine parameters as part of its anti-testing environment protections and, once cleared, opens a malicious svchost.exe instance to fetch all other malware modules.

If its requirements are not met, the malware crashes the svchost.exe instance it opened and does not proceed.


Source: IBM X-Force Research

Within the sample that downloaded an Excel file, the infection tree appeared as follows:


Source: IBM X-Force Research

In terms of their magnitude, X-Force research teams monitoring billions of spam emails a day found that over 3 million fraudulent messages containing TrickBot payloads were delivered to users between June 12, 2017 and June 14, 2017. The emails contained PDF files or, most recently, Windows Script Files (WSF), which allows Microsoft Windows Script Host users to work with a mix of scripting languages installed on their endpoints. Malware operators may change the types of file extensions they use to evade security tools that filter or flag specific file types in email messages.

About TrickBot

TrickBot emerged in August 2016 and launched into a testing and development period in what appears to be a banking Trojan project. This malware is a modular Trojan that appears to have some striking resemblance to the Dyre Trojan, both in its internal makeup and the infection methods it uses to reach new endpoints.

The malware focuses on business accounts, especially various corporate banking services and investment banking. Its targets are employee emails and endpoints rather than indiscriminate spam spread to free webmail services.

As predicted in 2016, the TrickBot Trojan is increasing its activity levels and has already joined the ranks of the top 10 most active malware families in 2017. According to X-Force data on banking Trojan activity, TrickBot now ranks seventh in the financial malware arena, accounting for about 4 percent of attacks. We expect to see the malware rise further this year due to its geographical expansion and increased activity in the second quarter of 2017.

The m ost prevalent financial malware families (Source: IBM X-Force, June 2017)

Sample IoCs

Indicators of compromise (IoCs) and information on TrickBot are updated in the TrickBot Ongoing Collection on the X-Force Exchange.

Malware Dropper MD5

  • a818f60fdb320d0e329481fd40b9cab7

Sample MD5s

  • 614ce512084d4c750fee535eeb0cb667
  • 66f03a4a6121472784a18ff1016fea21
  • f6f91bc05e9813ea9b5b7441ce1631e6

Read the white paper: Cognitive fraud detection fuels adaptable intelligence

 |  |  |  |  | 
Limor Kessem
Principal Consultant, X-Force Cyber Crisis Management, IBM
Matan Meir
Threat Researcher, IBM Trusteer

More from Malware
November 12, 2024

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

October 16, 2024

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

March 11, 2024

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature