Light Dark
April 27, 2017 By Limor Kessem 4 min read
Malware
Banking & Finance
Fraud Protection
Threat Intelligence

IBM X-Force research follows organized cybercrime and continually monitors the criminals’ targets and modus operandi. In a recent analysis of TrickBot campaigns in the U.K., Australia and Germany, I found that the operators of the infamous Trojan have been adding new redirection attacks focused on a list of brands that I had never seen in the past.

Curious about this addition to the TrickBot prime target roster, I went on to examine each URL, only to find out that the operators have been doing a lot of homework. The current configuration files are replete with private banks, private wealth management firms, investment banking, and even a retirement insurance and annuity company. One of the new targets is among the oldest banks in the world, located in the U.K.


Figure 1: TrickBot Target URLs by Geographical Location of Targeted Brand (Source: IBM Security)

A Sharpened Focus on Business Banking

TrickBot is sharpening its focus on business banking, too, adding some rare finds to its more usual hit list. A Sharia law-compliant bank, for example, is among the new brands targeted, which is interesting because banking activity consistent with the principles of Sharia law prohibits certain exchanges such as interest fees and investment in business types unacceptable in Islam. I have not seen this bank listed as a mark in the past eight years of analyzing malware targets.

Looking at the configuration, in the U.K., TrickBot has added 20 new private banking brands to its regular attack roster, as well as eight building societies. Also added were two Swiss banks, a few regular expressions for private banking platforms in Germany and four investment banking firms in the U.S. The complete set of targets includes over 300 unique URLs and regular expressions.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

TrickBot Ramping Up Campaigns

In recent weeks, IBM X-Force has been detecting ramped-up TrickBot activity in Australia, New Zealand and the U.K., the operators’ primary target geographies at this time.

The malware has grown from one to three major campaigns per month to five campaigns already in April. It is possible that TrickBot’s operators are increasing their spam runs in the target geographies and attempting to infect more endpoints before going into an attack phase next.


Figure 2: TrickBot Campaigns Ramp Up in April (Source: IBM Security)

In terms of its attack types, TrickBot is quite similar to Dyre. Its signature moves are browser manipulation techniques that enable the malware to implement serverside webinjections and redirection attacks. More details about those techniques appear in our technical blog on TrickBot.

A Rising Threat in 2017

In my December 2016 TrickBot blog, I noted that this malware was one to watch in 2017, and this cybergang is certainly living up to that prediction. The expanded target list, as well as the focus on new brands and high-value account types, means that this nefarious group is setting its sail and likely plans to deploy its crimeware in new territory.

The TrickBot malware emerged in the summer of 2016 and featured some striking resemblances to the Dyre Trojan right off the bat. Within no more than a month of attack activity, TrickBot was fully equipped with redirection attacks that hit banks in three distinct geographical and linguistic zones: the U.K., Germany and Canada. It then moved on to attacking banks in Asia, Australia and New Zealand, the latter two of which were prominent Dyre targets.

As the year progresses, I expect to see TrickBot climb up the global chart of financial malware families, reaching a similar magnitude as the Dridex Trojan and possibly outnumbering Dridex attacks by year’s end.


Figure 3: Top Most Prevalent Financial Malware Families (Source: IBM Security)

Please note that prior to publishing this blog, IBM X-Force notified the concerned parties and provided them with indicators of compromise (IoCs), and information about TrickBot and its attack methods.

TrickBot Collection is available publicly on X-Force Exchange. We studied the following current TrickBot samples for this blog:

  • 044F4F4491F3395F3046F60CAEF820C7
  • 070BABE9EF7820172ABC450B748EC277
  • 08BA011DF60438CCB9462E819E7EC722

Mitigating TrickBot Attacks

Banks looking for technological solutions to mitigate threats such as malware attacks and redirection schemes are invited to learn more about the IBM Security Trusteer Fraud Protection Suite. To learn more about mitigating threats such as the TrickBot Trojan, users can visit our post for tips and advice to apply in everyday browsing.

Read the white paper: Shifting the balance of power with cognitive fraud prevention

 |  |  |  |  |  |  | 
Limor Kessem
Principal Consultant, X-Force Cyber Crisis Management, IBM

More from Malware
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

June 6, 2023

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature