SafeUM
Home Blog Services Download Help About Recharge
EN
RU

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
EN
Lang
EN
RU
Archive
TOP Security!
11 Nov 2016

TrickBot banking trojan adds new browser manipulation tools

The TrickBot banking Trojan, a close relative to Dyre, has a growing target list and new browser manipulation techniques, experts at IBM X-Force said.

“We expect to see it amplify infection campaigns and fraud attacks, sharpen its aim on business and corporate accounts,” wrote Limor Kessem, executive security advisor with IBM in a security bulletin.

TrickBot, Kessem said, has matured quickly over the past three months during its testing and development stage. She added, the banking Trojan has also implemented two of the “most advanced browser manipulation techniques observed in banking malware in the past few years.” TrickBot is closely related to Dyre banking Trojan, sharing much of the underlying code and features. While the crew behind Dyre sits in a Russian jail, TrickBot appears to be picking up the slack with early attacks against banks in Australia using a number of webinjects also found in the Dyre malware code.

But IBM X-Force now says TrickBot has adopted several new features and is finding new targets, such as personal and business banking websites of financial insitutions in the U.K., Australia, New Zealand, Canada and Germany. Where attackers behind TrickBot initially focused on redirection attacks and server-side injections on a handful of banks, this November IBM noticed shifts in the malware’s tactics.

“This scope changed almost overnight when TrickBot’s operators launched two new configurations in early November… More than just adding URLs to the configuration, targeted banks in the U.K. were fitted with customized redirection attacks — the most advanced method to manipulate what victims see in their browsers,” Kessem wrote.

Based on an examination of TrickBot and the speed in development, Kessem says that TrickBot criminals have meticulously prepared redirects in advance of its campaigns or simply purchased them from another gang. Unlike its cousin Dyre, Kessem said, TrickBot has “dabbled” in malvertising leveraging the RIG exploit kit, malicious email attachments and poisoned Office macros coming through the “Godzilla loader.”

That behavior suggests to the IBM X-Force team that the group behind TrickBot is after specific business accounts. “They have been sending malware-laden spam to companies, not just indiscriminate waves of email,” she said. Again, another departure for TrickBot. As the cliché goes, with TrickBot change is the only constant. “Infection methods are bound to change again at any given time,” said Kessem. She said that constant evolution is tied to the fact that the bad guys are networking with other botnet and malware distributors.

Telltale signs of such tangled relationships include similarities between the Cutwail botnet‘s malware and the sharing of the same crypter with Vawtrak and Pushdo, used to hide viruses, keyloggers and RAT tools. Those same similarities were spotted by Fidelis Cybersecurity in October. That’s when researchers said that there is a clear link between Dyre and TrickBot. Fidelis said, the TrickBot sample it examined included a custom loader, called TrickLoader, that was also used in the Cutwail spambot, which Fidelis said was similar to the one used by the Dyre gang in its spam campaigns.

Tags:
spam fraud
Source:
Threatpost
1332
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015