It is not uncommon for malware, be it ransomware or Trojans, to evolve in their attack methods. What a malware may have been known to accomplish a year ago could easily evolve in a relatively short time. This may not just be the actual type of attacks the malware carries out, but also the regions it is present in or targets it focuses on. The Trickbot Trojan is a perfect example of this as security researchers are discovering.
Initially discovered in 2016, Trickbot is a banking Trojan that, according to a new Flashpoint report, executed man-in-the-browser (MitB) attacks and especially focused “the malware’s webinject configuration” against “financial institutions located outside of the U.S.” Starting around mid-July, however, researchers began seeing activity for the first time against U.S. financial institutions. Even worse, the Trickbot Trojan was being delivered in a spam campaign fueled by the Necurs botnet.
As the report states:
The initial spam wave contained an HTML email masquerading as a bill from an Australian telecommunications company. These malicious emails contained a Zip-archived Windows Script File (WSF) attachment consisting of obfuscated JavaScript code. Upon being clicked, the files download and execute the Trickbot loader… subsequent campaigns have evolved and appear to instead utilize malicious macro-laden documents as their attachments.
An example of the spam email containing Trickbot can be seen below:
With the power of the Necurs botnet behind the Trickbot Trojan, security researchers are alarmed at the strength that the attacks are growing globally. As Limor Kessem of Security Intelligence wrote, “TrickBot is the first and only banking Trojan to cover this many geographies and language zones with redirection schemes, an attack type known to be more resource-intensive to produce and maintain than dynamic webinjection schemes.”
The key thing to understand is that Trickbot, or successors of it, will undoubtedly continue to move beyond what was once thought impossible for banking malware. IT security divisions in financial institutions globally must take special care to understand how Trickbot functions and how to counteract it.
Photo credit: Flickr / Mike Poresky
