A new variant of Trickbot banking Trojan targets Verizon, T-Mobile, and Sprint users

A new Trickbot Trojan variant is targeting Verizon Wireless, T-Mobile, and Sprint users, confirming the evolution of the threat.

TrickBot is a popular banking Trojan that has been around since October 2016, its authors has continuously upgraded it by implementing new features. For example, in February Trend Micro detected a variant that includes a new module used for Remote App Credential-Grabbing.

Initially, TrickBot only included banking Trojan capabilities, over the years the authors implemented new features such as the ability data-stealing functionalities and the capability to drop other payloads.

Now researchers at Secureworks Counter Threat Unit (CTU) discovered a new TrickBot version that includes new dynamic webinjects in attacks aimed at U.S. mobile users.

The researchers observed that the authors, tracked as GOLD BLACKBURN, added new modules to steal information of US mobile users, in particular, experts observed that a module to target Verizon Wireless users was included on August 5, one for T-Mobile customers on August 12, and another to target Sprint users on August 19.

“When a victim navigates to the website of one of these organizations, the legitimate server response is intercepted by TrickBot and proxied through a command and control (C2) server.” reads the analysis published by SecureWorks. “This C2 server injects additional HTML and JavaScript into the page, which is then rendered in the victim’s web browser. For all three carriers, injected code causes an additional form field that requests the user’s PIN code,”

When the users of the US mobile carriers visit the websites of the companies, TrickBot intercepts the server response and proxies through a C2 server that injects the code to the page that requests additional user’s data, such as the PIN code.

The inclusion of code for stealing mobile PIN codes and other personal users suggests that GOLD BLACKBURN, or affiliated threat actors, are interested in carrying out port-out or SIM swap fraud.

“This fraud allows an attacker to assume control of a victim’s telephone number, including all inbound and outbound text and voice communications. The interception of short message service (SMS)-based authentication tokens or password resets is frequently used during account takeover (ATO) fraud.” continues the report.

Researchers suggest organizations and users to adopt time-based one-time password (TOTP) MFA rather than SMS-based multi-factor authentication (MFA).

“Similarly, telephone numbers should not be used as password reset options on important accounts. Enabling a PIN on mobile accounts remains a prudent anti-fraud measure that requires an attacker to possess an additional piece of information about their intended victim.” continues the report.

SecureWorks report also includes Indicators of compromise (IOCs) for this TrickBot variant.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Trickbot Trojan, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.