Trickbot Banking Trojan: A deep insight into the banking trojan’s redirections attacks
- Trickbot banking trojan has primarily affected banks and financial institutions via redirection attacks.
- The trojan has affected various banks and financial institutions across countries including the United Kingdom, the United States, Australia, Germany, Canada, and New Zealand.
Trickbot is a banking trojan, which was first spotted in October 2016. The trojan primarily targets banking account credentials. It has affected various banks and financial institutions across countries including the United Kingdom, the United States, Australia, Germany, Canada, and New Zealand.
It has primarily affected banks and financial institutions via redirection attacks. Additionally, Trickbot has been distributed using the RIG exploit kit via malvertising, phishing emails, and via infected MS Office macros using the Godzilla loader.
Trickbot - Dyre's copycat
Trickbot banking trojan made its first appearance in October 2016 targeting Australian banks. Security experts believed that there was some link between Dyre and Trickbot. Researchers said that Dyre trojan’s old code has been added to the new Trickbot trojan which also used the same built-in hash functions, Microsoft CryptoAPI and a similar version of the old Dyre C2 decryption.
Trickbot trojan’s capabilities include,
- Hiding in the background to hack transactions.
- Requesting personal information from users and compromising their accounts.
- Sending the collected information to its operators via its C&C server.
- Stealing banking credentials.
Redirection attacks in the UK
In November 2016, Trickbot launched redirection attacks against four UK banks. The operators behind Trickbot have also used browser manipulation techniques in its attack against UK banks.
Redirection attacks in Canada
Trickbot continued to launch redirection attacks and targeted three Canadian banks. Researchers detected that the operators behind TrickBot have been connected to well-known spamming and infection services and used redirection attacks to target financial institutions.
Trickbot targeting PayPal accounts and business CRMs
Besides targeting financial institutions, the new version of Trickbot targeted the CRM applications of two SaaS providers Salesforce and Reynolds & Reynolds. This new version of Tickbot was also capable of displaying fake login pages for 35 PayPal login sites.
QBot dropper used to distribute Trickbot
Trickbot was spotted distributed via shared malspam campaigns. These malspam campaigns distributed MS word documents which loaded an intermediate loader ‘QBot’. This QBot loader was responsible for loading the final payload ‘Trickbot’.
Fake invoices used to distribute Trickbot
Spoofed invoice pretending to come from Sage contained a malicious Microsoft Word doc attachment which distributed the Trickbot payload. Once users download the malicious word document, a macro script will run and infect the system with the Trickbot trojan.
Trickbot trojan includes a screen locker component
In March 2018, Trickbot re-emerged with a new version that included screenlocker component. The screenlocker module is part of one of the many files that TrickBot dropped on victims computers. On March 15, the initial TrickBot dropper downloaded a file named tabDll32[.]dll (or tabDll64[.]dll) that dropped three other files.
Trickbot’s password grabber module
In November 2018, Trickbot has added a password grabber module (pwgrab32) to its new version that steals access from several applications and browsers, such as Microsoft Outlook, Filezilla, WinSCP, Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge. This new Trickbot version has affected users primarily in the United States, Canada, and the Philippines.
Fake Lloyd bank emails used to distribute Trickbot
In November 2018, a new phishing campaign was spotted distributing TrickBot trojan to victims. In this campaign, the victim received a phishing email that pretended to come from Lloyds bank. The email contained a Microsoft Office doc attachment with a malicious macro embedded within it. Once the attachment is enabled, the macro code gets downloaded and executed TrickBot on to the victim’s machine.