TrickBot Banking Trojan is Now Stealing Bitcoins
It seems that the world loves cryptocurrencies. As you probably know, the value of digital money skyrocketed last year and plenty of people invested large sums in the hope of making a buck. Although the hype has dissipated somewhat and the future is anything but certain, it's safe to say that few people would decline the prospect of having tons and tons of virtual coins. Cybercriminals, in particular, want to amass as many as possible. They won't do it the legal way, though.
Over the last few months, we saw something of an explosion when it comes to malicious cryptocurrency miners. The idea is that while your CPU fans prepare for takeoff and the performance of your PC slows to a crawl, the countless calculations your machine performs generate crypto coins for the crooks. It's not the most destructive attack in the world, but it's extremely lucrative, and last week, Check Point researchers said that by illegally installing mining software on more than a few unpatched Jenkins servers, a hacking group has managed to obtain more than $3 million worth of Monero.
The authors of the TrickBot banking trojan, however, have apparently decided that waiting for miners to generate digital money is too much of a hassle. Instead, they want to directly steal bitcoins from their victims.
Launched in 2016, the TrickBot banking trojan has become one of the most widely used financial malware families out there. Its authors are famous for the regular updates and new features they add to their creation. Last year, for example, we saw them implementing worm functionality into the trojan, and later, they used TrickBot for account checking attacks. Recent samples captured by IBM researchers come with the ability to steal bitcoins.
The cryptocurrency stealing functionality doesn't come from a separate module. Rather, it's a modification to TrickBot's existing webinject rules.
A webinject attack works by hooking up to some of the key APIs inside the browser. Basically, the malware senses when a victim visits a particular website, pings its Command & Control server, and modifies the page on the user's PC. Up until recently, the pages were altered so that the hackers could receive the user's login credentials. The new webinject used for stealing bitcoins is a bit more complex.
The actual theft happens when the victim is trying to buy some bitcoins. First, TrickBot will sniff out and relay information on the address of the user's Bitcoin wallet and the number of virtual coins that are about to be purchased. Based on this information, the crooks decide whether the theft is worth the effort. If it is, they'll continue by altering the next page. On it, they'll swap the Bitcoin wallet provided by the user for one controlled by them. That way, the victim's credit card will be charged, but the coins bought with it will be redirected the hackers' way. For good measure, they'll also steal some login credentials and personal information which could facilitate complete account takeover.
That's not the most automated attack ever seen. In fact, rerouting a single transaction requires quite a lot of effort from the TrickBot gang. They don't seem to mind, though, and if anything, the current update shows just how determined they are to steal money from unsuspecting computer users.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.