Malware

A new variant of Trickbot banking Trojan targets Verizon, T-Mobile, and Sprint users

A new Trickbot Trojan variant is targeting Verizon Wireless, T-Mobile, and Sprint users, confirming the evolution of the threat.

TrickBot is a popular banking Trojan that has been around since October 2016, its authors has continuously upgraded it by implementing new features. For example, in February Trend Micro detected a variant that includes a new module used for Remote App Credential-Grabbing.

Initially, TrickBot only included banking Trojan capabilities, over the years the authors implemented new features such as the ability data-stealing functionalities and the capability to drop other payloads.

Now researchers at Secureworks Counter Threat Unit (CTU) discovered a new TrickBot version that includes new dynamic webinjects in attacks aimed at U.S. mobile users.

The researchers observed that the authors, tracked as GOLD BLACKBURN, added new modules to steal information of US mobile users, in particular, experts observed that a module to target Verizon Wireless users was included on August 5, one for T-Mobile customers on August 12, and another to target Sprint users on August 19.

“When a victim navigates to the website of one of these organizations, the legitimate server response is intercepted by TrickBot and proxied through a command and control (C2) server.” reads the analysis published by SecureWorks. “This C2 server injects additional HTML and JavaScript into the page, which is then rendered in the victim’s web browser. For all three carriers, injected code causes an additional form field that requests the user’s PIN code,”

When the users of the US mobile carriers visit the websites of the companies, TrickBot intercepts the server response and proxies through a C2 server that injects the code to the page that requests additional user’s data, such as the PIN code.

The inclusion of code for stealing mobile PIN codes and other personal users suggests that GOLD BLACKBURN, or affiliated threat actors, are interested in carrying out port-out or SIM swap fraud.

“This fraud allows an attacker to assume control of a victim’s telephone number, including all inbound and outbound text and voice communications. The interception of short message service (SMS)-based authentication tokens or password resets is frequently used during account takeover (ATO) fraud.” continues the report.

Researchers suggest organizations and users to adopt time-based one-time password (TOTP) MFA rather than SMS-based multi-factor authentication (MFA).

“Similarly, telephone numbers should not be used as password reset options on important accounts. Enabling a PIN on mobile accounts remains a prudent anti-fraud measure that requires an attacker to possess an additional piece of information about their intended victim.” continues the report.

SecureWorks report also includes Indicators of compromise (IOCs) for this TrickBot variant.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Trickbot Trojan, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds six Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds six Microsoft Windows flaws to its Known Exploited…

39 minutes ago

Microsoft Patch Tuesday security updates for March 2025 fix six actively exploited zero-days

Microsoft Patch Tuesday security updates for March 2025 address 56 security vulnerabilities in its products,…

1 hour ago

New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?

The Ballista botnet is exploiting an unpatched TP-Link vulnerability, targeting over 6,000 Archer routers, Cato…

10 hours ago

Apple fixed the third actively exploited zero-day of 2025

Apple addressed a zero-day vulnerability, tracked as CVE-2025-24201, that has been exploited in "extremely sophisticated"…

21 hours ago

Switzerland’s NCSC requires cyberattack reporting for critical infrastructure within 24 hours

Switzerland's NCSC mandates critical infrastructure organizations to report cyberattacks within 24 hours of discovery. Switzerland's…

1 day ago

SideWinder APT targets maritime and nuclear sectors with enhanced toolset

The APT group SideWinder targets maritime and logistics companies across South and Southeast Asia, the…

1 day ago

This website uses cookies.