TrickBot Used for More Fraudulent Activities Stealing Victims' Banking Credentials
Researchers from Flashpoint wrote yet again about TrickBot yesterday. For those of you who don't know, TrickBot has been on the scene since the summer of 2016, and it's believed to be the work of the same people who operated the Dyre banking trojan. Over the last fifteen months, it has received many updates, and the experts have noticed quite a few distribution spikes, some bigger, some smaller. What prompted Flashpoint to write about it once again is a clever new functionality which was added to the trojan's latest version.
Like any banking trojan, TrickBot's main goal is to steal victims' online banking credentials. With usernames and passwords, the threat actors can log in and siphon money off the unsuspecting user's bank account. The malware has proven itself to be quite good at this, with attacks being carried out both through webinjects and redirection. The list of targeted institutions has grown over the last year as well, and it's now quite long.
Apparently, however, the threat actors are still not satisfied, and they've now implemented a feature that lets them commit even more crimes through TrickBot. They are now employing their trojan to perform account checking attacks. But what exactly is an account checking attack?
You probably know what a data breach is. It's when hackers poke through the security of a website and make off with your personal information. This information, in some cases, might include your username and your password. Because people tend to have many accounts, they tend to reuse passwords, and that's good news for the hackers because if you use the same login credentials for different websites, they can compromise not one, but all of your accounts. They can't be sure if you've reused your password, however, and the only way to find out is by trial and error. Enter account checking, where an automated script takes leaked username and password combinations and tries them at different online services. If there's a match, the account is opened for takeover. If there isn't, the script moves on to the next.
It sounds simple enough, but it's not. Executing such an attack from the comfort of your home is tricky because it requires a lot of processing power, and the chances of being tracked are not slim, which isn't what the threat actors want. Enter TrickBot which solves these two problems to a large extent.
The modified version of the trojan was first spotted in August according to Flashpoint, and since then, they've seen around 6 thousand unique infections. Of these, at least two hundred have been actively used in the criminals' account checking campaign.
The infection chain is nothing out of the ordinary. It starts with a macro-laced Word document attached to a spam email. The researchers didn't give us too many details on what sort of social engineering the crooks included, but they did say that a vast portion of the victims consists of customers of the gaming and technology industries based in the US and Russia.
The malicious macros download the payload from a server and execute it. The main credential stealing module is deployed as per usual, and then, TrickBot sets about establishing a connection to a backconnect proxy server.
The difference between a normal proxy and a backconnect proxy is that the normal proxy reroutes traffic through a single IP, and if numerous connections are made to the same website through the said IP, it will eventually get blocked. The backconnect proxy, on the other hand, gives you a pool of IPs, and you can make thousands of connections to the same website through different IPs. In other words, it's perfect for an account checking attack where you need to try thousands of different username and password combinations on different online services. With the proxy set up, the hosts infected, and the leaked databases available, the threat actors can easily launch the account checking attack.
The TrickBot operators aren't ones to sit still. Ever since they launched the trojan, they've been constantly upgrading it and adding new functionality. The account checking feature in this latest incarnation shows that they are finding more ways of monetizing on their attacks. It also shows that you should stop reusing your passwords.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.