As we reported at the end of July, the Trickbot banking Trojan continues to expand its reach to hit organizations in the US. When we first reported on this, it was estimated that the Trickbot campaign was targeting 50 US financial institutions. Now, it seems, the attacks are hitting far more US targets than previously reported.
Trickbot code released on Pastebin on August 17th shows that the attack targeted a huge number of banks in the US. This attack was non-discriminate: its targets included Top 20 banks, mid-size banks, and even small, local institutions.
Also included in the list of targets were some of the top US Fintech firms that provide online banking platforms to small and mid-market financial institutions. This was the newest revelation in relation to the attack. The malware leverages the way in which the online banking sites are hosted in the SaaS provider’s multitenant, shared environment. Within this shared environment, each online banking site is identified by a unique URL, often leveraging a subdomain from the same top-level domain.
Banks hosted by Fintech providers typically look something like this:
The Trickbot code shows that the attackers understand how these providers operate and have configured the malware to attack any online banking solution with domain names similar to those in the previous example. They use wildcards or identify common URL strings that the banks share when hosted by those providers to identify the URLs.
Here are the strings from the Trickbot Config file that show the use of a wildcard to target US online banking providers:
Also included were other stings that likely point to US online banking providers:
Most small banks configure their online banking capabilities through Fintech providers or their core providers. Knowing this, we estimate that the number of banks targeted by Trickbot could be more than 1,000.
This new file also confirms earlier reports from other security firms that linked Trickbot to the older banking Trojan called Dyre – the list of targets is very similar in both attacks.
The targeted URLs are in many cases fitted with customized redirection, taking the victim to a fake website while the malware keeps a live connection with the bank’s legitimate website. This allows the fake page to display the bank’s correct URL and digital certificate, ensuring that victims will not become suspicious of an attack.
The Trickbot banking Trojan has been responsible for man-in-the-browser attacks since 2016, and will likely continue to expand as long as banking credentials continue to fetch a high price on the black market.
This serves as a reminder to small US banks that they can be targeted in the same way as the top banks in the country. In the case of this attack, the attackers cast a wide net, covering a wide variety of financial institutions, in order to maximize their profits.
Mitigating Trickbot Attacks
For more technical information about Trickbot, visit our previous blog post.
To learn how to mitigate threats such as email spoofing, phishing, malware attacks, and redirection schemes, click here to learn more about our Digital Threat Protection Suite.