TrickBot Spreads to the Nordics, Launches Redirection Attacks in France

June 20, 2017
|
co-authored by Matan Meir
|
5 min read

IBM X-Force Research detected a new wave of TrickBot attacks targeting banks in Nordic countries. The malware expanded its configurations to launch fraud attacks against banks in Sweden, Finland, Norway, Denmark and Iceland, among the other geographies it targets.

Moreover, the malware, which has been testing redirection attacks on one bank in France, now targets 28 brands in the country, focusing on corporate, investment and private banking firms.

TrickBot Takes Aim at New Targets

The TrickBot banking Trojan’s operators have been working hard this year, employing sophisticated redirection attacks against banks across the globe. IBM X-Force data revealed that they also doubled their activity between the first two quarters of 2017, modifying the code to evade detection and launching infection campaigns in different parts of the world.

Aside from the Nordics and France, TrickBot configurations target banks in 24 countries, including:

  • U.K. (36 percent);
  • France (10 percent);
  • Sweden (9 percent);
  • Switzerland (6 percent);
  • U.S. (6 percent);
  • Finland (6 percent);
  • Norway (5 percent);
  • Canada (4 percent);
  • Australia (4 percent);
  • Ireland (2 percent);
  • Denmark (1 percent);
  • Singapore (1 percent);
  • Germany (1 percent);
  • Lebanon (1 percent);
  • Luxembourg (1 percent);
  • Austria (1 percent);
  • Belgium (1 percent);
  • Lithuania (1 percent); and
  • Hong Kong, Bulgaria, Spain, Israel, Iceland and Tahiti (under 1 percent)

Keep in mind, these numbers are for the current campaigns and will change over time. Configuration files are moving parts of any banking Trojan and can be modified rather frequently. TrickBot possesses a dedicated configuration to target banks in Australia, Canada, Germany and the U.S., to name a few.

Read the white paper: Cognitive fraud detection fuels adaptable intelligence

Spreading Out and Changing Tricks

The fact that TrickBot spread into countries with distinctly different languages and banking systems suggests that its operators have the resources to research each target, have been preparing fake websites for the redirection attacks and most likely collaborate with actors based in the various countries the Trojan now targets.

According to X-Force research, massive TrickBot campaigns detected in June 2017 have been leveraging the Necurs botnet, spreading the malware with the same tactics used by Dridex, Locky and Jaff: a poisoned PDF file containing an embedded Microsoft Office productivity file. The Office file, once opened, prompts the victim to enable macros.

The rest of the infection chain is quite similar to recent Dridex infection campaigns: The user enables macros, malicious scripts launch PowerShell, and the payload is eventually fetched and deployed on the target endpoint.

TrickBot’s Multilayer Infection Routine

In the recent malware infection spam that comes through the Necurs botnet, X-Force researchers often noted that malware was layered into a number of different files and scripts before it actually infected the target endpoint. TrickBot is no different, and it comes wrapped up in a few layers.

The infection chain starts when a user opens the PDF file. Users see a message on the screen requiring them to open another attachment, which can be a .doc or .xlsm file.

Source: IBM X-Force Research

If the user opts to open the second file, he or she is asked to enable macros. The macro contains a VBS script that launches as soon as the user enables the action.


Source: IBM X-Force Research

In the sample we analyzed, the PDF contained a weaponized Excel file with an embedded malicious macro. Once run, the script reaches out to a remote website and fetches the payload, which is a TrickBot’s dropper executable. The executable file arrives encoded and is decoded as soon as the download completes.

In the following image, the script is exposed, showing the dropper payload being downloaded.

Source: IBM X-Force Research

Examining the communication logs, we can also see the script contacting the remote resource to fetch the dropper.


Source: IBM X-Force Research

Next, TrickBot downloads a module designed to check the target endpoint’s system specifics, encodes the data and saves that information to a file. The malware then checks for some machine parameters as part of its anti-testing environment protections and, once cleared, opens a malicious svchost.exe instance to fetch all other malware modules.

If its requirements are not met, the malware crashes the svchost.exe instance it opened and does not proceed.


Source: IBM X-Force Research

Within the sample that downloaded an Excel file, the infection tree appeared as follows:


Source: IBM X-Force Research

In terms of their magnitude, X-Force research teams monitoring billions of spam emails a day found that over 3 million fraudulent messages containing TrickBot payloads were delivered to users between June 12, 2017 and June 14, 2017. The emails contained PDF files or, most recently, Windows Script Files (WSF), which allows Microsoft Windows Script Host users to work with a mix of scripting languages installed on their endpoints. Malware operators may change the types of file extensions they use to evade security tools that filter or flag specific file types in email messages.

About TrickBot

TrickBot emerged in August 2016 and launched into a testing and development period in what appears to be a banking Trojan project. This malware is a modular Trojan that appears to have some striking resemblance to the Dyre Trojan, both in its internal makeup and the infection methods it uses to reach new endpoints.

The malware focuses on business accounts, especially various corporate banking services and investment banking. Its targets are employee emails and endpoints rather than indiscriminate spam spread to free webmail services.

As predicted in 2016, the TrickBot Trojan is increasing its activity levels and has already joined the ranks of the top 10 most active malware families in 2017. According to X-Force data on banking Trojan activity, TrickBot now ranks seventh in the financial malware arena, accounting for about 4 percent of attacks. We expect to see the malware rise further this year due to its geographical expansion and increased activity in the second quarter of 2017.

The m ost prevalent financial malware families (Source: IBM X-Force, June 2017)

Sample IoCs

Indicators of compromise (IoCs) and information on TrickBot are updated in the TrickBot Ongoing Collection on the X-Force Exchange.

Malware Dropper MD5

  • a818f60fdb320d0e329481fd40b9cab7

Sample MD5s

  • 614ce512084d4c750fee535eeb0cb667
  • 66f03a4a6121472784a18ff1016fea21
  • f6f91bc05e9813ea9b5b7441ce1631e6

Read the white paper: Cognitive fraud detection fuels adaptable intelligence

Limor Kessem
Executive Security Advisor, IBM

Limor Kessem, CISO, CISM, is one of the top cyber intelligence experts at IBM Security. She is a seasoned security advocate, public speaker, and a prolific a...
read more