TrickBot Banking Malware Gets More Updates, Distribution Activity Spikes

Believed to be the work of threat actors that were previously involved with the dreaded Dyre, the TrickBot banking Trojan first appeared on the threat landscape in August 2016, and, after several months of testing, it was unleashed in the wild. Having seen what TrickBot can do, researchers predicted that the Trojan could go on to become one of the serious names in the financial malware landscape. Indeed, there were several things to suggest that this might happen.

For one, TrickBot was (and still is) one of the few banking Trojans that rely on both web injections and redirection to manipulate the victim's browser. The injection attacks are easier to pull off but are more likely to be thwarted by the banks' security solutions. With redirects, both the targeted financial institutions and the victims remain none the wiser, but the whole operation requires a lot more resources.

Other banking Trojans have also incorporated these two means of attacking individuals, but TrickBot was the first one to have them since day one. This goes to show that the malware's authors intended to turn their Trojan into a formidable threat right from the start. And with the aggressive campaigns they launched over the following months, they managed to do just that.

At one point, researchers were seeing TrickBot infecting people through exploit kits, but for the most part, it has relied on spam messages. At the moment, there's another huge wave of TrickBot-spreading emails going around, and according to FlashPoint, it's coming from the biggest spam botnet of them all, Necurs. The infection, researchers say, starts with some social engineering.

The email comes with an attached ZIP file, which, the body says, should contain some payment information. Inside the archive, there are two files – a TXT document and a VBS script. The text file is not malicious but contains very little information (only a few lines) which means that victims are likely to run the VBS as well. When they do, the script contacts a remote server and downloads the payload.

Of course, the millions of messages would be useless if the Trojan can't do its thing – steal sensitive login credentials and siphon off money from people's bank accounts. That's why, before Necurs started spewing the emails around, TrickBot's authors changed the configuration file and lengthened the list of targeted financial institutions.

One of many updates the Trojan has received over the last nine months or so has changed the landscape. If you take the time to go through its development, you'll realize that it's another testament to the authors' determination to turn TrickBot into a seriously dangerous piece of malware.

The Trojan's first versions targeted a relatively small list of banks in the UK and Australia, but this was about to change. A couple of updates in November and December added financial institutions from Germany, Canada, and New Zealand. Later, the configuration file was changed again to include yet more banks based in a myriad of European countries as well as some in the US. In June of this year, the authors started targeting banks in Sweden, Norway, Finland, Denmark, and Iceland, and with the latest update, IBM security researchers said that the criminals are putting the emphasis on Spain, with five new Spanish banks, and all of them attacked using redirection.

TrickBot's expansion continues, both in terms of distribution and in terms of the number of targets which are now scattered across the globe. According to researchers, some of the names on the list of targeted institutions suggest that the malware is mostly aimed at business organizations and high net worth individuals, but it's fair to say that whoever you are and wherever you are, you are not safe. Make sure you delete all those spam emails.