The Easy Solutions Security Operations Center has encountered a new variant of the ongoing Trickbot campaign. This variant appears to be adding new countries and banks to its target list.
Previously, the malware’s main targets were in the US, Canada, the UK, Spain, France, Finland, Sweden, Norway, Singapore, and Australia.
In its latest configuration (Version 1000044), we have observed a total of 346 URLs - a significant increase from the previously reported 200. This gives us proof that Trickbot has expanded to almost all of Europe, as well as a few Latin American countries. The new list of targets includes organizations from the following countries:
The Trickbot code is now configured to attack the local URLs of almost all the major global banks in each country on the list. The downloaded Trickbot variant has the group tag “kas5”. The decrypted configuration files contain a list of targets already seen in previous campaigns, in addition to many financial institutions new to the list.
Trickbot remains a highly active malware with updated configuration being released on daily basis. The creators of TrickBot are adding new targets for the static injection, which continues to be a very dangerous threat, redirecting users to fake sites while showing the correct URL and the correct SSL certificate.
Mitigating Trickbot Attacks
To learn more about how to mitigate threats such as malware attacks, email spoofing, phishing, and redirection schemes, click here to read about our Digital Threat Protection Suite.