The TrickBot trojan is adding man-in-the-browser (MitB) capabilities for stealing online banking credentials that resemble Zeus, the early banking trojan, researchers said — potentially signaling a coming onslaught of fraud attacks.
TrickBot is a sophisticated (and common) modular threat known for stealing credentials and delivering a range of follow-on ransomware and other malware. But it started out as a pure-play banking trojan, harvesting online banking credentials by redirecting unsuspecting users to malicious copycat websites.
According to researchers at Kryptos Logic Threat Intelligence, this functionality is carried out by TrickBot’s webinject module. When victim attempts to visit a target URL (like a banking site), the TrickBot webinject package performs either a static or dynamic web injection to achieve its goal, as researchers explained:
“The static inject type causes the victim to be redirected to an attacker-controlled replica of the intended destination site, where credentials can then be harvested,” they said, in a Thursday posting. “The dynamic inject type transparently forwards the server response to the TrickBot command-and-control server (C2), where the source is then modified to contain malicious components before being returned to the victim as though it came from the legitimate site.”
In the updated version of the module, TrickBot has added support for “Zeus-style webinject configs,” according to Kryptos Logic – an additional way to dynamically inject malicious code into target banking-site destinations.
Tapping Zeus for a Thunderbolt of MitB
Zeus was once the ascendent banking trojan on the crimeware scene until 2011, when its source code was leaked. Multiple malwares have since cherrypicked various of its functionalities to incorporate into their own code, researchers explained.
“Due to Zeus having been the gold standard for banking malware, Zeus-style webinjects are extremely popular,” they said. “It is not uncommon for other malware families to support Zeus-style webinject syntax for cross-compatibility (4Zloader, 5Citadel, to name a few).”
In a Zeus approach, the injection is accomplished by proxying traffic through a local SOCKS server – a trick that’s also found in IcedID’s man-in-the-browser webinject module, researchers said. When a victim attempts to visit a target URL (one of the many hardcoded into the module), the traffic flowing through the listening proxy is dynamically modified accordingly.
Researchers explained that to accomplish this, it creates a self-signed TLS certificate and adds it to the certificate store.
“The module contains a packed payload that is injected into the victim’s browser, where it hooks socket APIs to redirect traffic to a locally listening SOCKS proxy, it also hooks ‘CertVerifyCertificateChainPolicy’ and ‘CertGetCertificateChain’ to ensure no certificate errors are shown to the victim,” according to the posting.
The updated module is being pushed out to real victims under the name injectDll, which has replaced the old functionality. There are 32-bit and 64-bit versions, the firm found.
TrickBot Resumes Bank-Fraud Operations?
Kryptos Logic researchers explained that the development is notable given that TrickBot has evolved from its banking-trojan days to focus almost exclusively on acting as a first-stage, multipurpose malware that is often the precursor to a ransomware infection. It’s also often seen performing lateral propagation throughout a network environment, before delivering a final payload (again, usually ransomware). Recently it even added a bootkit function.
So, this new effort in freshening up the webinject module may indicate that TrickBot’s operators are getting back into the banking-fraud fray, researchers said.
“The resumption of development of the webinject module indicates that TrickBot intends to revive its bank-fraud operation, which appears to have been shelved for over a year,” Kryptos Logic researchers concluded. “The addition of Zeus-style webinjects may suggest expansion of their malware-as-a-service platform, enabling users to bring their own webinjects.”
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.