Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Fully Operational TrickBot Banking Trojan Targets UK, Australia

TrickBot, a new piece of malware that experts believe is somehow linked to the notorious Dyre Trojan, is now fully operational and it has been used to target banks in the United Kingdom, Australia and other countries.

TrickBot, a new piece of malware that experts believe is somehow linked to the notorious Dyre Trojan, is now fully operational and it has been used to target banks in the United Kingdom, Australia and other countries.

Researchers at Fidelis Cybersecurity spotted TrickBot in September. The malware’s configuration file indicated that it had been set up to target several banks in Australia and one in Canada. However, the samples analyzed by the security firm only included a module for collecting system information – the web injection modules appeared to be in a testing phase.

IBM X-Force researchers revealed on Tuesday that TrickBot is now fully operational and it’s capable of deploying server-side injections and redirection attacks, which are considered two of the most sophisticated techniques a banking Trojan can use.

IBM pointed out that early versions of TrickBot were also set up to target a digital banking platform commonly used by regional banks in the United States. In early November, X-Force spotted two new configurations that enable redirection attacks against four banks in the UK and server-side injections against several Australian organizations.

In addition to the UK and Australia, experts say the malware targets the personal and business banking websites of financial institutions in New Zealand, Canada and Germany. However, considering that the malware has been developed at a fast pace, researchers expect to see even more targets in the coming weeks.

According to X-Force, TrickBot authors have conducted small-volume testing via malvertising, the RIG exploit kit, fake fax emails carrying malicious attachments, and poisoned Office macros delivered via the Godzilla loader.

Fidelis Cybersecurity identified several similarities between TrickBot and the notorious banking Trojan Dyre, which disappeared from the scene in November 2015 likely as a result of an operation carried out by Russian authorities. Experts noted that despite the similarities, TrickBot is a rewrite with a different coding style.

X-Force researchers agree that parts of the Dyre team are likely involved in the development of TrickBot. Another possibility is that someone who values Dyre wants to build a similar piece of malware.

Advertisement. Scroll to continue reading.

“TrickBot has been in testing for about two to three months now, and yet its developers have already managed to implement two of the most advanced browser manipulation techniques observed in banking malware in the past few years,” said Limor Kessem, executive security advisor at IBM Security. “TrickBot is moving fast, and we expect to see it amplify infection campaigns and fraud attacks, sharpen its aim on business and corporate accounts, and paint itself into the banking malware picture in the coming months.”

Related Reading: Zeus Banking Trojan Distributed via MSG Attachments

Related Reading: Ramnit Banking Trojan Resumes Activity

Related Reading: Gozi Banking Trojan Campaigns Target Global Brands

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.