IBM X-Force Research detected a new wave of TrickBot attacks targeting banks in Nordic countries. The malware expanded its configurations to launch fraud attacks against banks in Sweden, Finland, Norway, Denmark and Iceland, among the other geographies it targets.

Moreover, the malware, which has been testing redirection attacks on one bank in France, now targets 28 brands in the country, focusing on corporate, investment and private banking firms.

TrickBot Takes Aim at New Targets

The TrickBot banking Trojan’s operators have been working hard this year, employing sophisticated redirection attacks against banks across the globe. IBM X-Force data revealed that they also doubled their activity between the first two quarters of 2017, modifying the code to evade detection and launching infection campaigns in different parts of the world.

Aside from the Nordics and France, TrickBot configurations target banks in 24 countries, including:

  • U.K. (36 percent);
  • France (10 percent);
  • Sweden (9 percent);
  • Switzerland (6 percent);
  • U.S. (6 percent);
  • Finland (6 percent);
  • Norway (5 percent);
  • Canada (4 percent);
  • Australia (4 percent);
  • Ireland (2 percent);
  • Denmark (1 percent);
  • Singapore (1 percent);
  • Germany (1 percent);
  • Lebanon (1 percent);
  • Luxembourg (1 percent);
  • Austria (1 percent);
  • Belgium (1 percent);
  • Lithuania (1 percent); and
  • Hong Kong, Bulgaria, Spain, Israel, Iceland and Tahiti (under 1 percent)

Keep in mind, these numbers are for the current campaigns and will change over time. Configuration files are moving parts of any banking Trojan and can be modified rather frequently. TrickBot possesses a dedicated configuration to target banks in Australia, Canada, Germany and the U.S., to name a few.

Read the white paper: Cognitive fraud detection fuels adaptable intelligence

Spreading Out and Changing Tricks

The fact that TrickBot spread into countries with distinctly different languages and banking systems suggests that its operators have the resources to research each target, have been preparing fake websites for the redirection attacks and most likely collaborate with actors based in the various countries the Trojan now targets.

According to X-Force research, massive TrickBot campaigns detected in June 2017 have been leveraging the Necurs botnet, spreading the malware with the same tactics used by Dridex, Locky and Jaff: a poisoned PDF file containing an embedded Microsoft Office productivity file. The Office file, once opened, prompts the victim to enable macros.

The rest of the infection chain is quite similar to recent Dridex infection campaigns: The user enables macros, malicious scripts launch PowerShell, and the payload is eventually fetched and deployed on the target endpoint.

TrickBot’s Multilayer Infection Routine

In the recent malware infection spam that comes through the Necurs botnet, X-Force researchers often noted that malware was layered into a number of different files and scripts before it actually infected the target endpoint. TrickBot is no different, and it comes wrapped up in a few layers.

The infection chain starts when a user opens the PDF file. Users see a message on the screen requiring them to open another attachment, which can be a .doc or .xlsm file.

Source: IBM X-Force Research

If the user opts to open the second file, he or she is asked to enable macros. The macro contains a VBS script that launches as soon as the user enables the action.


Source: IBM X-Force Research

In the sample we analyzed, the PDF contained a weaponized Excel file with an embedded malicious macro. Once run, the script reaches out to a remote website and fetches the payload, which is a TrickBot’s dropper executable. The executable file arrives encoded and is decoded as soon as the download completes.

In the following image, the script is exposed, showing the dropper payload being downloaded.

Source: IBM X-Force Research

Examining the communication logs, we can also see the script contacting the remote resource to fetch the dropper.


Source: IBM X-Force Research

Next, TrickBot downloads a module designed to check the target endpoint’s system specifics, encodes the data and saves that information to a file. The malware then checks for some machine parameters as part of its anti-testing environment protections and, once cleared, opens a malicious svchost.exe instance to fetch all other malware modules.

If its requirements are not met, the malware crashes the svchost.exe instance it opened and does not proceed.


Source: IBM X-Force Research

Within the sample that downloaded an Excel file, the infection tree appeared as follows:


Source: IBM X-Force Research

In terms of their magnitude, X-Force research teams monitoring billions of spam emails a day found that over 3 million fraudulent messages containing TrickBot payloads were delivered to users between June 12, 2017 and June 14, 2017. The emails contained PDF files or, most recently, Windows Script Files (WSF), which allows Microsoft Windows Script Host users to work with a mix of scripting languages installed on their endpoints. Malware operators may change the types of file extensions they use to evade security tools that filter or flag specific file types in email messages.

About TrickBot

TrickBot emerged in August 2016 and launched into a testing and development period in what appears to be a banking Trojan project. This malware is a modular Trojan that appears to have some striking resemblance to the Dyre Trojan, both in its internal makeup and the infection methods it uses to reach new endpoints.

The malware focuses on business accounts, especially various corporate banking services and investment banking. Its targets are employee emails and endpoints rather than indiscriminate spam spread to free webmail services.

As predicted in 2016, the TrickBot Trojan is increasing its activity levels and has already joined the ranks of the top 10 most active malware families in 2017. According to X-Force data on banking Trojan activity, TrickBot now ranks seventh in the financial malware arena, accounting for about 4 percent of attacks. We expect to see the malware rise further this year due to its geographical expansion and increased activity in the second quarter of 2017.

The m ost prevalent financial malware families (Source: IBM X-Force, June 2017)

Sample IoCs

Indicators of compromise (IoCs) and information on TrickBot are updated in the TrickBot Ongoing Collection on the X-Force Exchange.

Malware Dropper MD5

  • a818f60fdb320d0e329481fd40b9cab7

Sample MD5s

  • 614ce512084d4c750fee535eeb0cb667
  • 66f03a4a6121472784a18ff1016fea21
  • f6f91bc05e9813ea9b5b7441ce1631e6

Read the white paper: Cognitive fraud detection fuels adaptable intelligence

More from Malware

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today