Banking Trojan Trickbot Expands Reach, Now Attacking US Banks

Share Button

The Trickbot banking Trojan, deemed the successor to Dyre, has been responsible for man-in-the-browser (MitB) attacks since 2016. Previously, the attacks were mostly on organizations outside of the US. Now, however, the malware’s webinject capabilities are targeting US financial institutions.

In its research published on July 17th, Flashpoint indicated that 50 US banks are being targeted in a new Trickbot spam campaign, called “mac1”, in addition to campaigns in 23 other countries.

Spearphishing seems to be the infection vector: Victims receive fake emails containing a Zip-archived Windows Script File (WSF) attachment that consists of obfuscated JavaScript code. When the attachment is opened, the Trickbot malware is downloaded from the URLs posted today on Pastebin.

More Sophisticated Than Ever

Many of Trickbot’s target URLs are fitted with customized redirection, hijacking the victim to a fake website. Malware contacts the bank’s genuine webpage and keeps a live connection with it, allowing the fake page to display the bank’s correct URL in the address bar as well as the bank’s genuine digital certificate. This display of the actual URL helps to avoid raising suspicion from the attack victims.

Targeted Attacks on Financial Services Firms Continue to Rise

The price of banking credentials on the black market remains extremely high, especially when compared to Netflix and Uber credentials or credit card numbers (which are actually decreasing in value). This represents a normal evolution of the kinds of data that cybercriminals are after. Since 2013, the price for stolen credit card numbers has greatly decreased; we expect that value to remain low, or possibly drop even further.

Financial institutions need to take a proactive approach when fighting threats against their customers’ credentials. Today, it’s not enough to put defenses in place to detect that credentials have been compromised when the user is logging into a digital banking portal. Implementation of a DMARC protocol, for example, can help block malicious emails masquerading as a brand, preventing the customer from ever even receiving phishing emails.

In addition, effective endpoint, browser, and mobile detection and protection can provide early warnings for banks to raise their risk level if they detect an attack. Advanced technology can detect if a user’s web session is being manipulated, either through a web injection or by redirection. Further, endpoint protection focused on malware similar to Trickbot can help prevent the malware from been downloaded via the blacklisting of the malware payload URLs.

This attack is a good reminder that financial institutions need to be readier than ever for these types of attacks.  As attackers’ strategies become more sophisticated and banking credentials continue to fetch a high price, these attacks will continue to occur.

Leave a Reply

Your email address will not be published. Required fields are marked *