Trickbot trojan deploys a custom proxy module from Bokbot also known as IcedID. This module is derived from IcedID’s code for web injection attacks.
What is the new module?
Security researcher Brad Duncan observed Trickbot’s new web injection module. Duncan noted that a malicious MS Word document that deploys a PowerShell script to download the Ursnif trojan also drops the Trickbot variant which includes the new IcedID proxy module.
Security researcher Vitali Kremez analyzed the proxy module and noted the resemblance between the proxy module of Trickbot and the man-in-the-browser tool used by IcedID for injecting fake data in the traffic received by the victim user.
Kremez noted that this proxy module can connect to Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge. He added that the module appears to be adapted specifically for TrickBot for its fraudulent banking operations.
“2019-07-06: #TrickBot Banker #Malware Group Released Inj/Proxy "shadnewDll32" ("inj_32.dll") Module Adapted for #BokBot/#IcedID fake/inj but #TrickBot exports Hooking: FF, Chrome, IE, ME for banking #fraud,” Kremez tweeted.