The Trickbot banking Trojan is now targeting U.S. banks in new spam campaigns fueled by the prolific Necurs botnet. The malware has grown more potent with the introduction of a customized redirection method as part of its attacks.
IBM X-Force and Flashpoint both recently spotted new Trickbot activity and independently published research on their findings this week.
According to the researchers, spam campaigns have been active over the past several months, with the latest Trickbot attack reported earlier this week.
While Flashpoint focused on the U.S. as targets, IBM focused on the redirection attacks used to steal login details, personally identifiable information and financial authentication codes.
“Trickbot has been responsible for man-in-the-browser attacks since mid-2016, yet the malware’s webinject configuration has only targeted financial institutions located outside of the U.S. — up until now,” according to Flashpoint researchers Vitali Kremez and Paul Burbage in research posted Wednesday.
They said the Necurs-powered spam campaign contains an “expanded webinject configuration” developed to target and infect customers of international and U.S.-based financial institutions.
“Although this wave utilized malicious WSF scripts as the initial vector of infection, subsequent campaigns have evolved and appear to instead utilize malicious macro-laden documents as their attachments,” Flashpoint said.
Post infection, the malware creates a process using the “CREATE_SUSPENDED” flag before injecting its module and terminating the initial thread used to launch the Trojan, researchers said. The infection progresses, creating a folder in “%APPDATA%” where it copies itself and adds an authroot certificate file in “%TEMP%”, and adds as a service “update[.]job” for persistence in the Windows Task folder.
“Trickbot then stores an encoded configuration module in the ‘resource’ section of its binary and retrieves additional modules from its controller domains when needed,” Kremez and Burbage wrote.
In its analysis of Trickbot, Flashpoint said the malware is a successor to the Dyre banking Trojan sharing many of the same attributes. While the crew behind Dyre sits in a Russian jail, TrickBot appears to be picking up the slack with attacks against banks using a number of webinjects also found in the Dyre malware code, according to a report last year by IBM X-Force researchers.
How Trickbot Tricks
“TrickBot is the first and only banking Trojan to cover this many geographies and language zones with redirection schemes, an attack type known to be more resource-intensive to produce and maintain than dynamic webinjection schemes,” Limor Kessem wrote in technical write-up describing Trickbot’s latest developments posted Wednesday.
A basic redirection attack is typical in phishing attacks and is a technique that redirects one hyperlink to an unanticipated page loaded with a malicious payload.
“In simple redirection of browsing to a different page, the user sees the switch to the next website and can observe the change in URL. This is not what happens in Trickbot’s case. Malware redirections hijack the victim to a fake website hosted on separate servers before he or she even sees the destination page,” Kessem wrote.
“The fake page displays the bank’s correct URL in the address bar, as well as the bank’s genuine digital certificate. The user is unlikely to notice any difference or suspect that he or she reached a malicious site,” IBM X-Force researchers said.
“By seamlessly moving infected victims away from the bank’s genuine website, the malware’s operator can switch to using webinjections to steal login details, personally identifiable information and critical authentication codes on the replica site — all without the bank knowing that the customer’s session has been compromised or discovering the flow of events on the fake site,” according to Kessem.
Over the past several months, IBM X-Force said those behind Trickbot have broaden their attack scope specifically within Spain. “While the malware had previously targeted only one bank in Spain, it now targets six brands in the country,” it reported.
Indicators of compromise include the MD5 hashes 9a1d8e19b0622df7de1e0034e710b5a8 and 0e09c2aa13515fc10b5e352cbfab37b7.