The TrickBot Trojan has been a rising global threat in the cybercrime arena ever since its emergence in late 2016. The organized cybergang that operates TrickBot has been widening its scope of activity to dozens of countries across the globe. It has been targeting financial entities, such as banks and credit providers, and focusing on business and private banking as it aims for hefty fraudulent transfer bounties.
But this is not where TrickBot’s diverse interests stop. As the value and popularity of cryptocurrency continues to rapidly rise, so does this cybergang’s interest in obtaining cryptocoins in the easiest way possible: theft. TrickBot configurations have featured popular cryptocurrency exchange URLs since about mid-2017, and we at IBM X-Force have been looking at the malware’s most recent attack schemes to steal coins from infected users.
There are several types of cryptocurrency platforms, each offering a variety of services, such as trading one coin for another, transferring coins between different wallets and buying coins with a credit card. According to our analysis, TrickBot is actively targeting one such service that enables users to purchase bitcoin and bitcoin cash by credit card.
The attacks we have looked into are facilitated by TrickBot’s webinjections, getting in the middle of the flow of a legitimate payment card transaction. In the normal payment scenario, a user looking to buy coins provides his or her public bitcoin wallet address and specifies the amount of bitcoin to purchase. When submitting this initial form, the user is redirected from the bitcoin exchange platform to a payment gateway on another domain, which is operated by a payment service provider. There, the user fills in his or her personal information, as well as credit card and billing details, and confirms the purchase of coins.
This is where TrickBot hijacks the coins. This particular attack targets both the bitcoin exchange website and that of the payment service to grab the coins and route them to an attacker-controlled wallet.
The inner workings of TrickBot’s cryptocoin attack rely on an existing TrickBot attack tactic: webinjections. This age-old favorite tool of many banking Trojans is a form of man-in-the-browser attack that enables malware to modify webpages presented to the user. Malware authors achieve this by placing hooks on key application programming interface (API) functions inside the browser. These hooks intercept information going from and back to the browser and alter it midway.
Unlike most financial malware, TrickBot does not expose the injected code in the configuration itself. Instead, a web URL of a remote command-and-control (C&C) server corresponds with every targeted URL. This modus operandi is called serverside webinjection and has been used by TrickBot since its launch in 2016. Serverside webinjections allow TrickBot to modify the injected code on its server in real time without having to update the configuration on the infected machine.
The Target: Bitcoin
To see the attack rules TrickBot has in store for any targeted site, we must first access the configuration. TrickBot keeps its configuration encrypted on the infected machine. To read it and unveil the list of targeted entities, one can either decrypt the configuration file or inspect it in the browser’s memory after the malware has already decrypted it.
The relevant part of TrickBot’s configuration for this attack shows that the scheme involves two webpages that, together, make up the coin purchase process. The first is a page where the user provides his or her bitcoin wallet address and the desired amount of bitcoin to purchase. The second is a page where the payment process is executed.
In the image below, we can see the exact set of rules in TrickBot’s configuration, each one matching a targeted page with a URL on TrickBot’s server. This way, TrickBot fetches the appropriate webinjection to alter the legitimate transaction and do its bidding instead.
Figure 1: Attack rules in TrickBot’s configuration (source: X-Force Research)
To enable it to control the infected machine’s web browser, TrickBot’s modules are injected into the browser ahead of time and already have hooks in place to launch webinjections.
Figure 2: TrickBot dynamic link libraries (DLLs) loaded into the browser
Figure 3: PR_Read and PR_Write functions with TrickBot’s hooks in place
To view what was happening during the web session, we sniffed HTTP network traffic on the infected machine when opening the targeted URL. This revealed the attack flow of the malware’s dynamic injection method, which TrickBot refers to as “dinj.”
- “sourcelink,” the complete URL of the resource to be replaced;
- “sourcequery,” the browser’s HTTP request for the resource (including all headers); and
- “sourcehtml,” the original code as would be returned by the legitimate host.
Injection No. 1: Gathering Victim Data
One of the resources TrickBot replaced is the HTML code of the bitcoin website. The code is being switched up to gather data on the victim’s cryptocoin wallet and the number of coins to be purchased.
Using Wireshark, we can see that the page is sent to TrickBot’s C&C and that a the attack server returned a modified version.
Figure 4: HTTP Packets capture from the targeted site sent to C&C
Figure 5: The injection request for the HTML page of the targeted site
To point out the injected script, we performed a simple diff between the original page source and the one returned by TrickBot’s C&C.
Figure 6: Diff between original HTML page and one returned by TrickBot
Flow of Events
The script first fetches an HTML element with ID “btcAddress.” This element is an input field in which the user fills in his or her wallet address. If this element is found on the page, the malware performs the following actions to alter the interaction with the targeted webpage:
- Any existing logic attached to the enter key (key code 13) is eliminated, probably to limit the form submission via keyboard and make sure the victim has to click a TrickBot-generated submit button.
- The original submit button is cloned, the new copy is placed in the HTML document object model (DOM) and the original button is hidden from the victim.
- A fraudulent form-submission process is registered to the new submit button with an event listener. Upon clicking, the wallet address and the desired amount of bitcoin entered by the user are fetched and sent to the malware server using an AJAX request.
Figure 7: Part of the injected code TrickBot used to hijack cryptocoin purchase transactions (code comments added by X-Force research)
The injection into the HTML page is used only to collect information. The attacker can use this information — the legitimate user’s bitcoin wallet address and the bitcoin amount to purchase — to decide whether to proceed with a fraudulent operation.
Later on, after being redirected to the payment process, TrickBot will gather more information. This is probably done to allow a future account takeover attack, which will enable the fraudsters to perform a purchase/coin transfer from a machine they control using the legitimate user’s wallet credentials and payment card details.
Injection No. 2: Stealing the Coins
The second phase of the TrickBot attack facilitates the theft of the cryptocoins by preying on the web logic defined by the payment provider for legitimate online transactions.
The actual bitcoin theft is once again facilitated by a webinjection that modifies another resource of the site, “bundle.js,” which contains most of the payment processing logic.
Figure 8: bundle.js is loaded by the original HTML page
Figure 9: The dynamic injection request to bundle.js
By checking the diff between the original version of bundle.js and the modified one, we noticed that the function sendPaymentRequest had been changed. This function is responsible for sending payment requests to the payment service provider, and it has been modified to contain a hardcoded bitcoin address instead of the one inserted by the user.
Figure 10: sendPaymentRequest before and after modification by TrickBot
The “walletaddress” attribute is the address of the bitcoin wallet to which the purchased coins will be delivered after the deal is complete. This injection ensures that the bitcoin will not be delivered to the original address provided by the victim, but to an address belonging to TrickBot’s operators.
From this point on, the victim is led through several steps of identification in which he or she provides a phone number, an email address, a selfie photo with the credit card he or she wants to use, and a photo of his or her national ID card.
However, these steps only serve to verify the personal identity and not the ownership of the wallet address. By now, the wallet address has already been set and will not be shown to the victim again. Thus, the victim’s credit card will be charged and he or she will believe the deal was successful, expecting to see the new coins in his or her wallet. The bitcoin will never reach the designated wallet, however, but will instead be delivered to a wallet belonging to one of TrickBot’s operators.
More to Come?
Having researched the attack tactics TrickBot applied to this cryptocurrency coin theft, we can see that, while it relies on existing mechanisms, the scheme required extensive research of the targeted sites, their web logic and the security controls they use. It highlights what we already know about this malware gang: It continues to study new targets and expand its reach.
As the theft of cryptocurrency becomes increasingly popular among financial malware operators, we expect to see a many more campaigns targeting platforms and service providers in the cryptocurrency sector.
To mitigate the risk of financial malware, organizations can leverage the adaptive controls provided by IBM Trusteer’s Pinpoint Detect.
Indicators of Compromise
In this study, we used a TrickBot sample with MD5 039bc78ca0801006cc33485bc94f415c.