The Trickbot Trojan has resurfaced, this time targeting banks and financial institutions. In a new spam campaign, fueled by the Necurs botnet, the malware is now expanding its webinject capabilities and using customized redirection measures to trick users.
IBM X-Force and Flashpoint have actively researched the Trojan and published their findings. It seems that the campaign has been active for a few months now, with the latest attack observed recently. While Flashpoint focused on its effect on U.S., IBM studied the redirection attacks used to steal login details, personally identifiable information and financial authentication codes.
Flashpoint, a Business Risk Intelligence service, in their blog post, reported that the new campaign “mac1” uses man-in-the-browser attacks and has struck in at least three major waves of spams.
When a user opens these malicious attachments, Trickbot commences the infection process, downloading its main payload, copying itself for persistence and retrieving additional modules as needed. When the user opens a browser to visit a banking site, the malware uses its webinject capabilities to insert a fake login page where victims unknowingly feed their banking information to the cybercriminals running the campaign.
According to Flashpoint,
Although this wave utilized malicious WSF scripts as the initial vector of infection, subsequent campaigns have evolved and appear to instead utilize malicious macro-laden documents as their attachments.
Once the system is infected, the malware creates a process using the “CREATE_SUSPENDED” flag before injecting its module and terminating the initial thread used to launch the Trojan. The infection progresses, creating a folder in “%APPDATA%” where it copies itself and adds an authroot certificate file in “%TEMP%”, and adds as a service “update[.]job” for persistence in the Windows Task folder. It then stores an encoded configuration module in the ‘resource’ section of its binary and retrieves addition modules as and when required.
The Necurs botnet, operating as crimeware-as-a-service, had been known primarily for distributing Locky and Jaff ransomware, before Trickbot came into the spotlight. The sudden halt in the distribution of Locky and Jaff ransomware seems to suggest that the Trickbot spam proliferation might be yielding higher returns.
In fact, the Trickbot Trojan bears many similarities to the now defunct Dyre banking Trojan, which disappeared following Russian law enforcement raids of the Dyre cybercrime group. Flashpoint speculates that Trickbot’s author may have intimate knowledge of Dyre or simply is borrowing its old source code.
It is predicted that as long as the campaign is backed by the powerful Necurs botnet, it will continue to evolve and attack major financial institutions. Anti-fraud programs is a major area of concern in trying times like these.
Modus Operandi of the Attack
TrickBot is the first and only banking Trojan with such wide coverage. The updated attack type is more resource-intensive to produce and maintain than dynamic webinjection schemes, as posted earlier.
A basic redirection attack is typical in phishing attacks and is a technique that redirects one hyperlink to an unanticipated page loaded with a malicious payload.
Limor Kessem says:
In simple redirection of browsing to a different page, the user sees the switch to the next website and can observe the change in URL. This is not what happens in Trickbot’s case. Malware redirections hijack the victim to a fake website hosted on separate servers before he or she even sees the destination page.
By seamlessly moving infected victims away from the bank’s genuine website, the malware’s operator can switch to using webinjections to steal login details, personally identifiable information and critical authentication codes on the replica site — all without the bank knowing that the customer’s session has been compromised or discovering the flow of events on the fake site.
The attacks have been targeting the U.S., UK, New Zealand, France, Australia, Norway, Sweden, Iceland, Finland, Canada, Italy, Spain, Switzerland, Luxembourg, Belgium, Singapore and Denmark. Although Flashpoint stated that this was the first Trickbot variant to incorporate U.S. banks into its webinject configurations, there have in recent months been other reports that referenced Trickbot attacks on U.S. financial institutions, including four investment banking firms in the U.S. The fast sweep of the attack into the financial sector has initiated a strong search for anti-fraud systems for security.