TrickBot Spreads to the Nordics, Launches Redirection Attacks in France

IBM X-Force Research detected a new wave of TrickBot attacks targeting banks in Nordic countries. The malware expanded its configurations to launch fraud attacks against banks in Sweden, Finland, Norway, Denmark and Iceland, among the other geographies it targets.

Moreover, the malware, which has been testing redirection attacks on one bank in France, now targets 28 brands in the country, focusing on corporate, investment and private banking firms.

TrickBot Takes Aim at New Targets

The TrickBot banking Trojan’s operators have been working hard this year, employing sophisticated redirection attacks against banks across the globe. IBM X-Force data revealed that they also doubled their activity between the first two quarters of 2017, modifying the code to evade detection and launching infection campaigns in different parts of the world.

Aside from the Nordics and France, TrickBot configurations target banks in 24 countries, including:

  • U.K. (36 percent);
  • France (10 percent);
  • Sweden (9 percent);
  • Switzerland (6 percent);
  • U.S. (6 percent);
  • Finland (6 percent);
  • Norway (5 percent);
  • Canada (4 percent);
  • Australia (4 percent);
  • Ireland (2 percent);
  • Denmark (1 percent);
  • Singapore (1 percent);
  • Germany (1 percent);
  • Lebanon (1 percent);
  • Luxembourg (1 percent);
  • Austria (1 percent);
  • Belgium (1 percent);
  • Lithuania (1 percent); and
  • Hong Kong, Bulgaria, Spain, Israel, Iceland and Tahiti (under 1 percent)

Keep in mind, these numbers are for the current campaigns and will change over time. Configuration files are moving parts of any banking Trojan and can be modified rather frequently. TrickBot possesses a dedicated configuration to target banks in Australia, Canada, Germany and the U.S., to name a few.

Read the white paper: Cognitive fraud detection fuels adaptable intelligence

Spreading Out and Changing Tricks

The fact that TrickBot spread into countries with distinctly different languages and banking systems suggests that its operators have the resources to research each target, have been preparing fake websites for the redirection attacks and most likely collaborate with actors based in the various countries the Trojan now targets.

According to X-Force research, massive TrickBot campaigns detected in June 2017 have been leveraging the Necurs botnet, spreading the malware with the same tactics used by Dridex, Locky and Jaff: a poisoned PDF file containing an embedded Microsoft Office productivity file. The Office file, once opened, prompts the victim to enable macros.

The rest of the infection chain is quite similar to recent Dridex infection campaigns: The user enables macros, malicious scripts launch PowerShell, and the payload is eventually fetched and deployed on the target endpoint.

TrickBot’s Multilayer Infection Routine

In the recent malware infection spam that comes through the Necurs botnet, X-Force researchers often noted that malware was layered into a number of different files and scripts before it actually infected the target endpoint. TrickBot is no different, and it comes wrapped up in a few layers.

The infection chain starts when a user opens the PDF file. Users see a message on the screen requiring them to open another attachment, which can be a .doc or .xlsm file.

TrickBot Malware researchSource: IBM X-Force Research

If the user opts to open the second file, he or she is asked to enable macros. The macro contains a VBS script that launches as soon as the user enables the action.

IBM X-Force Research
Source: IBM X-Force Research

In the sample we analyzed, the PDF contained a weaponized Excel file with an embedded malicious macro. Once run, the script reaches out to a remote website and fetches the payload, which is a TrickBot’s dropper executable. The executable file arrives encoded and is decoded as soon as the download completes.

In the following image, the script is exposed, showing the dropper payload being downloaded.

IBM X-Force ResearchSource: IBM X-Force Research

Examining the communication logs, we can also see the script contacting the remote resource to fetch the dropper.

TrickBot Malware Infection Routine
Source: IBM X-Force Research

Next, TrickBot downloads a module designed to check the target endpoint’s system specifics, encodes the data and saves that information to a file. The malware then checks for some machine parameters as part of its anti-testing environment protections and, once cleared, opens a malicious svchost.exe instance to fetch all other malware modules.

If its requirements are not met, the malware crashes the svchost.exe instance it opened and does not proceed.

IBM Trusteer Cybercrime Research
Source: IBM X-Force Research

Within the sample that downloaded an Excel file, the infection tree appeared as follows:

TrickBot Malware Research
Source: IBM X-Force Research

In terms of their magnitude, X-Force research teams monitoring billions of spam emails a day found that over 3 million fraudulent messages containing TrickBot payloads were delivered to users between June 12, 2017 and June 14, 2017. The emails contained PDF files or, most recently, Windows Script Files (WSF), which allows Microsoft Windows Script Host users to work with a mix of scripting languages installed on their endpoints. Malware operators may change the types of file extensions they use to evade security tools that filter or flag specific file types in email messages.

About TrickBot

TrickBot emerged in August 2016 and launched into a testing and development period in what appears to be a banking Trojan project. This malware is a modular Trojan that appears to have some striking resemblance to the Dyre Trojan, both in its internal makeup and the infection methods it uses to reach new endpoints.

The malware focuses on business accounts, especially various corporate banking services and investment banking. Its targets are employee emails and endpoints rather than indiscriminate spam spread to free webmail services.

As predicted in 2016, the TrickBot Trojan is increasing its activity levels and has already joined the ranks of the top 10 most active malware families in 2017. According to X-Force data on banking Trojan activity, TrickBot now ranks seventh in the financial malware arena, accounting for about 4 percent of attacks. We expect to see the malware rise further this year due to its geographical expansion and increased activity in the second quarter of 2017.

IBM X-Force Research

The m ost prevalent financial malware families (Source: IBM X-Force, June 2017)

Sample IoCs

Indicators of compromise (IoCs) and information on TrickBot are updated in the TrickBot Ongoing Collection on the X-Force Exchange.

Malware Dropper MD5

  • a818f60fdb320d0e329481fd40b9cab7

Sample MD5s

  • 614ce512084d4c750fee535eeb0cb667
  • 66f03a4a6121472784a18ff1016fea21
  • f6f91bc05e9813ea9b5b7441ce1631e6

Read the white paper: Cognitive fraud detection fuels adaptable intelligence

Share this Article:
Limor Kessem

Executive Security Advisor, IBM

Limor Kessem is one of the top cyber intelligence experts at IBM Security. She is a seasoned security advocate, public speaker, and a regular blogger on the cutting-edge IBM Security Intelligence blog. Limor comes to IBM from organizations like RSA Security, where she spent 5 years as part of the RSA research labs and drove the FraudAction blog on RSA's Speaking of Security. She also served as the Marketing Director of Big Data analytics startup ThetaRay, where she created the company's cybersecurity thought leadership. Limor is considered an authority on emerging cybercrime threats. She participated as a highly appreciated speaker on live InfraGard New York webcasts (an FBI collaboration), spoke in RSA events worldwide, conducts live webinars on all things fraud and cybercrime, and writes a large variety of threat intelligence  publications. With her unique position at the intersection of multiple research teams at IBM, and her fingers on the pulse of current day threats, Limor covers the full spectrum of trends affecting consumers, corporations, and the industry as a whole. On the social side, Limor tweets security items as @iCyberFighter and is an avid Brazilian Jiu Jitsu fighter.