TrickBot gang is back with new campaigns targeting Payment Processors and CRM Providers

Threat actors behind the financial trojan TrickBot have been updating its campaigns targeting Payment Processors and CRM Providers.

Threat actors behind Banking Trojan TrickBot switched from financial institutions to Payment processors and CRM providers.

TrickBot was initially observed in September 2016 by the researchers at security firm Fidelis Cybersecurity, that linked it to the Dyre banking trojan.

The security firm first spotted the TrickBot malware in September while it was used by crooks to target the customers of Australian banks (ANZ, Westpac, St. George and NAB).

The first TrickBot samples analyzed by the experts were implementing a single data stealer module, but a few weeks later, the researchers discovered a new sample including webinjects that appear to be in the testing phase.

In September 2016, Fidelis Cybersecurity was alerted to a new malware bot calling itself TrickBot that we believe has a strong connection to the Dyre banking trojan. From first glance at the loader, called TrickLoader, there are some striking similarities between it and the loader that Dyre commonly used. It isn’t until you decode out the bot, however, that the similarities become staggering.” reads the analysis published by Fidelis Cybersecurity.

“This would suggest, but is far from conclusive, that some individuals related to the development of Dyre have found their way into resuming criminal operations.”

TrickBot and Dyre have many similarities, the code of the new banking trojan seems to have been rewritten with a different coding style, but maintaining many functionalities.

The malware was used in a number of attacks at the end of 2016 targeting banks in the UK and Australia, and Asian financial institutions.

In May, TrickBot was used to target 20 new private banking brands, eight building societies in the UK, two Swiss banks, private banking platforms in Germany, and four investment banking firms in the U.S.

Researchers at F5 analyzed 26 TrickBot configurations that were active in May 2017 when crooks also targeted two payment processing providers and two Customer Relationship Management (CRM) SaaS providers.

“In the 26 TrickBot configurations F5 researchers analyzed that were active in May 2017, targets expanded beyond banks to include two payment processing providers and two Customer Relationship Management (CRM) SaaS providers.” F5 reports. “The fact that payment processors were targets was a notable change that we also observed in Marcher, an Android banking trojan in March of 2017. It appears now that CRMs are a new target of attackers; is it because of their potential for collecting valuable user data that could enhance phishing campaigns?”

The F5 experts analyze two distinct TrickBot infection campaigns that were active in May, they respectively targeted 210 URL targets and 257 URLs. Both campaigns targeted the same US payment processor (PayPal), but according to F5 only the second campaign targeted the CRM providers.

Giving a look at the campaigns the experts discovered:

The first campaign:

• Banks (83% of URL targets, 18% UK banks)
• PayPal (a payment processor attributed to the US). 35 different PayPal URLs were also present in the configuration used in the second campaign.

The second campaign:

• Banks in UK (47% of targets).
• Payment processors with the addition of a new payment processor URL in the UK.
• CRMs Salesforce.com and an auto sales CRM developed by Reynolds & Reynolds in the US.

F5 identified 6 C&C IP addresses belonging European web hosting provider networks, three of which are operated by hosting firms in Asia. All the IP addresses used 443 / HTTPS for communication with the infected hosts in order to avoid detection.

F5 concludes TrickBot gangs has extended their campaigns due to their success.

“It seems the success of TrickBot thus far has influenced the authors to not only repeat their previous target list of banks from previous campaigns but to expand those targets to include new banks globally as well as CRM providers. The fact that C&C servers in these two most recent campaigns reside within web hosting companies is also significant, along with the fact that the C&C servers were different from those used in previous campaigns,” F5 says.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – malware, Trickbot)

[adrotate banner=”13″]