TrickBot is a rising threat, the banking Trojan now targets Private Banking

According to a new analysis conducted by the IBM’s X-Force security team, a new wave of attacks powered by the TrickBot banking Trojan have been targeting private banks in the UK, Australia, and Germany.

The researchers observed new redirection attacks focused on new brands, including private banks, private wealth management firms, investment banking, and a retirement insurance and annuity company.

“operators of the infamous Trojan have been adding new redirection attacks focused on a list of brands that I had never seen in the past.” states the analysis published by IBM.

“Curious about this addition to the TrickBot prime target roster, I went on to examine each URL, only to find out that the operators have been doing a lot of homework. The current configuration files are replete with private banks, private wealth management firms, investment banking, and even a retirement insurance and annuity company. One of the new targets is among the oldest banks in the world, located in the U.K.”

TrickBot was initially observed in September 2016 by the researchers at security firm Fidelis Cybersecurity, that linked it to the Dyre banking trojan.

The security firm first spotted the TrickBot malware in September while it was used by crooks to target the customers of Australian banks (ANZ, Westpac, St. George and NAB).

The first TrickBot samples analyzed by the experts were implementing a single data stealer module, but a few weeks later, the researchers discovered a new sample including webinjects that appear to be in the testing phase.

In September 2016, Fidelis Cybersecurity was alerted to a new malware bot calling itself TrickBot that we believe has a strong connection to the Dyre banking trojan. From first glance at the loader, called TrickLoader, there are some striking similarities between it and the loader that Dyre commonly used. It isn’t until you decode out the bot, however, that the similarities become staggering.” reads the analysis published by Fidelis Cybersecurity.

“This would suggest, but is far from conclusive, that some individuals related to the development of Dyre have found their way into resuming criminal operations.”

TrickBot and Dyre have many similarities, the code of the new banking trojan seems to have been rewritten with a different coding style, but maintaining many functionalities.

The malware was used in a number of attacks at the end of 2016 targeting banks in the UK and Australia, and Asian financial institutions.

Back to the present, TrickBot was used to target 20 new private banking brands, eight building societies in the UK, two Swiss banks, private banking platforms in Germany, and four investment banking firms in the U.S.

“Looking at the configuration, in the U.K., TrickBot has added 20 new private banking brands to its regular attack roster, as well as eight building societies. Also added were two Swiss banks, a few regular expressions for private banking platforms in Germany and four investment banking firms in the U.S. The complete set of targets includes over 300 unique URLs and regular expressions.” continues the analysis.

Among the novelties, the configuration shows crooks started targeting a Sharia law-compliant bank.

Trickbot is a rising threat, the researchers are observing to a significant intensification of the campaign leveraging the threat, in particular in Australia, New Zealand, and the UK.

“In terms of its attack types, TrickBot is quite similar to Dyre. Its signature moves are browser manipulation techniques that enable the malware to implement server-side web injections and redirection attacks,” IBM says.

Experts from IBM believe TrickBot would climb up the global chart of financial malware families, reaching the same level of threats like Dridex and Ramnit in the next months.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – banking trojan, cybercrime)

[adrotate banner=”13″]