Trickbot gets custom proxy module from IcedID banking trojan

• This new Trickbot module is dropped separately as “shadnewDll” and comes with its own configuration file.
• This proxy module shares similarities with the man-in-the-browser tool used by IcedID for injecting fake data in the traffic received by the victim user.

Trickbot trojan deploys a custom proxy module from Bokbot also known as IcedID. This module is derived from IcedID’s code for web injection attacks.

What is the new module?

Security researcher Brad Duncan observed Trickbot’s new web injection module. Duncan noted that a malicious MS Word document that deploys a PowerShell script to download the Ursnif trojan also drops the Trickbot variant which includes the new IcedID proxy module.

• This new Trickbot module is dropped separately as “shadnewDll” and comes with its own configuration file.
• This proxy module can intercept and modify web traffic.
• This module acts as a local proxy server between the client and the online banking service and can include a fake template for the bank requested by the user to steal financial information.

Worth noting

Security researcher Vitali Kremez analyzed the proxy module and noted the resemblance between the proxy module of Trickbot and the man-in-the-browser tool used by IcedID for injecting fake data in the traffic received by the victim user.

Kremez noted that this proxy module can connect to Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge. He added that the module appears to be adapted specifically for TrickBot for its fraudulent banking operations.

“2019-07-06: #TrickBot Banker #Malware Group Released Inj/Proxy "shadnewDll32" ("inj_32.dll") Module Adapted for #BokBot/#IcedID fake/inj but #TrickBot exports Hooking: FF, Chrome, IE, ME for banking #fraud,” Kremez tweeted.