Trickbot
Trickbot is a banking trojan that deploys advanced browser manipulation techniques, server-side injections and redirection attacks. Trickbot was considered a true banking trojan in October 2016 when it implemented web injection capabilities. The trojan’s primary targets are business accounts. Trickbot originally targeted Australian banks, one Canadian bank, and regional US banks through a regular expression (RegEx) URL for a digital banking platform. Since adding the two new configurations in November 2016, the malware has targeted personal and business banking websites of financial institutions in the United Kingdom, Australia, New Zealand, Canada, and Germany, including redirection attacks – an advanced method to manipulate what victims see in their browsers – against four banks in the UK. Additionally, Trickbot proliferates by using the RIG exploit kit through malvertising, by email attachments claiming to be a fax message, and by infected Microsoft Office macros using the Godzilla loader. IBM Security Intelligence researchers believe Trickbot’s operations are likely connected to the Cutwail botnet’s malware and it uses the same cryptor as Vawtrak, Pushdo, and Cutwail. The trojan is very similar to the Dyre trojan which also used the Cutwail botnet as one of its distribution methods.
Reporting
November 2016: Trickbot activity rises with redirection attacks in the United Kingdom. (IBM Security Intelligence)
April 2017: Trickbot added new redirection attacks focused on a list of private banking firms. Activity also increased to five campaigns in April, mainly targeting Australian, New Zealand, and U.K. companies. (IBM Security Intelligence)
June 2017: Increasingly used in campaigns targeting e-banking apps, PayPal accounts, and business customer relationship management (CRMs). (BleepingComputer)
July 2017: A new, Necurs botnet-powered Trickbot spam campaign is infecting customers of financial institutions in the U.S., U.K., New Zealand, France, Australia, Norway, Swedish, Iceland, Finland, Canada, Italy, Spain, Switzerland, Luxembourg, Belgium, Singapore, and Denmark. (Flashpoint)
July 2017: Trickbot added a self-spreading capability via a new SMB worm module that allows the trojan to propagate to nearby devices on the same network. (Flashpoint)
August 2017: Researchers at Cyren discovered a new Trickbot phishing campaign targeting Lloyds Bank customers. The trojan redirects victims to a fake login page that's indistinguishable from Lloyds' legitimate site and displays the correct URL and SSL certificate. (Cyren)
November 2017: QtBot dropper used to distribute Trickbot. (Palo Alto Networks)
November 2017: Trickbot is delivered through phishing emails coming from the typo-squatted domain <secure@sage-invoices[.]com> and claims to be a Sage invoice. (My Online Security)
March 2017: A new version of the Trickbot trojan includes a screenlocker component, currently under development, suggesting the malware's operators might soon begin holding victims for ransom. (BleepingComputer)
April 2018: New Trickbot plugin squlDll harvests email addresses from SQL servers. Also includes a screenlocking module not used as a ransomware component. (Fortinet)
October 2018: Trickbot has a new module, pwgrab32, for stealing credentials from applications such as Filezilla, Microsoft Outlook, and WinSCP. (Trend Micro)
November 2018: What’s new in Trickbot? Deobfuscating elements (Malwarebytes Labs)
November 2018: Trickbot Banking Trojan Starts Stealing Windows Problem History (Bleeping Computer)
November 2018: A new POS malware feature was added. The new module scans an infected computer for indicators that it’s connected to a network that supports POS services and machines. (Trend Micro)
February 2019: Trickbot adds remote application credential-grabbing capabilities. (Trend Micro)
March 2019: Trickbot was used to steal credentials for remote computer access targeting passwords for Virtual Network Computing (VCN), PuTTY, and Remote Desktop Protocol (RDP). (Center for Internet Security)
April 2019: Malicious spam emails sent from Paychex and ADP at height of tax season with Trickbot through Microsoft Excel attachments with intent to steal valuable data including banking credentials, allowing threat actors to wire money to themselves from the target without immediate detection. (CyberScoop)
May 2019: Researchers discovered a new version of Trickbot that uses a redirection URL in a spam email. The redirection URL is a way to bypass spam filters that may block Trickbot. (Trend Micro)
July 2019: Trickbot now comes with a separate module for stealing browser cookies. Cookies are used to remember login states, the website preferences, personalized content, or for tracking a user's browsing activity. (Bleeping Computer)
July 2019: Trickbooster, a new variant of Trickbot, has been observed harvesting email credentials and contacts from the victim’s address book. Once a victim is compromised, the malware is capable of sending out malicious spam, appearing to originate from the victim. To remain untraceable, Trickbooster then scrubs all evidence from the sent box and the trash folder. The purpose is to continue credential harvesting and proliferate the infection. At the time of this reporting, 250 million email addresses have been harvested. (Deep Instinct)
July 2019: Attackers have created a fake Office 365 site that is distributing TrickBot disguised as Chrome and Firefox browser updates to proliferate the password-stealing Trojan. (Bleeping Computer)
July 2019: A new Trickbot variant has been observed targeting Microsoft Window’s Defender, a security software platform, with the intent of preventing its detection and removal. This security software is widely used and sometimes provides the only form of antivirus to customers. (Bleeping Computer)
August 2019: A new Trickbot variant has been found using highly obfuscated JS file for propagation. (Cyware)
August 2019: New Trickbot variant targets Verizon, T-Mobile, and Sprint Users to steal PIN codes. (Bleeping Computer)
Technical Details
IBM’s X-Force provides a technical analysis of the Trickbot banking trojan here.
