The TrickBot banking Trojan, a close relative to Dyre, has a growing target list and new browser manipulation techniques, experts at IBM X-Force said.
“We expect to see it amplify infection campaigns and fraud attacks, sharpen its aim on business and corporate accounts,” wrote Limor Kessem, executive security advisor with IBM in a security bulletin.
TrickBot, Kessem said, has matured quickly over the past three months during its testing and development stage. She added, the banking Trojan has also implemented two of the “most advanced browser manipulation techniques observed in banking malware in the past few years.” TrickBot is closely related to Dyre banking Trojan, sharing much of the underlying code and features. While the crew behind Dyre sits in a Russian jail, TrickBot appears to be picking up the slack with early attacks against banks in Australia using a number of webinjects also found in the Dyre malware code.
But IBM X-Force now says TrickBot has adopted several new features and is finding new targets, such as personal and business banking websites of financial insitutions in the U.K., Australia, New Zealand, Canada and Germany. Where attackers behind TrickBot initially focused on redirection attacks and server-side injections on a handful of banks, this November IBM noticed shifts in the malware’s tactics.
“This scope changed almost overnight when TrickBot’s operators launched two new configurations in early November… More than just adding URLs to the configuration, targeted banks in the U.K. were fitted with customized redirection attacks — the most advanced method to manipulate what victims see in their browsers,” Kessem wrote.
Based on an examination of TrickBot and the speed in development, Kessem says that TrickBot criminals have meticulously prepared redirects in advance of its campaigns or simply purchased them from another gang. Unlike its cousin Dyre, Kessem said, TrickBot has “dabbled” in malvertising leveraging the RIG exploit kit, malicious email attachments and poisoned Office macros coming through the “Godzilla loader.”
That behavior suggests to the IBM X-Force team that the group behind TrickBot is after specific business accounts. “They have been sending malware-laden spam to companies, not just indiscriminate waves of email,” she said. Again, another departure for TrickBot. As the cliché goes, with TrickBot change is the only constant. “Infection methods are bound to change again at any given time,” said Kessem. She said that constant evolution is tied to the fact that the bad guys are networking with other botnet and malware distributors.
Telltale signs of such tangled relationships include similarities between the Cutwail botnet‘s malware and the sharing of the same crypter with Vawtrak and Pushdo, used to hide viruses, keyloggers and RAT tools. Those same similarities were spotted by Fidelis Cybersecurity in October. That’s when researchers said that there is a clear link between Dyre and TrickBot. Fidelis said, the TrickBot sample it examined included a custom loader, called TrickLoader, that was also used in the Cutwail spambot, which Fidelis said was similar to the one used by the Dyre gang in its spam campaigns.