So far in August there has been a rise in Trickbot Banking Trojans. The Trojan has a striking resemblance to the infection methods of Dyre and focuses on business accounts. Dyre is a banking Trojan that harvests credentials to perform automated clearing house (ACH) and wire fraud. The malware uses a range of techniques to go undetected when a browser session is hijacked and information such as credentials are stolen.
The Trojan uses phishing emails to arrive on the victim’s machine. Furthermore, there are URLs within the phishing emails but instead of being malicious URLs, they show the correct URL of the online bank and a legitimate SSL certificate, so the user sees nothing unusual. TrickBot has made its way into the banking sector by using a malvertising campaign, involving Rig Exploit Kit to distribute its payload. Trick Bot has a lot in common with its predecessor, Dyreza, although it does not have as many features (possibly designed that way to make distribution quicker).
- 9aac1e00d62e0b4049781cc5eff99bc7 – main sample (packed)
Downloaded modules (32 bit):
- b6f9ba3fd8af478147c59b2f3b3043c7 – OutlookX32.dll
- ac32c723c94e2c311db78fb798f2dd63 – module.dll (importDll32)
- f8e58af3ffefd4037fef246e93a55dc8 – mailsearcher.dll (mailsearcher32)
- 25570c3d943c0d83d69b12bc8df29b9d – SystemInfo.dll (systeminfo32)
- 5ac93850e24e7f0be3831f1a7c463e9c – loader.dll (injectDll32), reflectively loads submodules:
The malware once deployed is installed within a new directory named %APPDATA%.
IBM X Force ranks the malware as 7th on the financial malware list.
Trojans such as Trickbot combine RAT and redirection methods to carry out the multi-phased campaigns. The Trojan slowly operates victim accounts until the Trojan can deploy a standard Remote Access protocol (VNC) which is completely invisible to device recognition and geo-location software. The Trojan opens a browser from within the genuine victim machine, logs into online banking and proceeds to empty the victim's account.
The Trojan is usually written in C++ and uses a Microsoft CryptoAPI. Furthermore, the Trojan has a powerful server-side MITB web injection mechanism that allows it to vigorously inject scripts into the user browser.
IBM X Force examined the logs and found a script that contacts the remote resource to fetch the dropper.
A sample of the fake domains sending the Trickbot includes: hsbcdocs.co.uk, hmrccommunication.co.uk, lloydsbacs.co.uk, nationwidesecure.co.uk, natwestdocuments6.ml, santanderdocs.co.uk, santandersecuremessage.com, and securenatwest.co.uk. The domains have all been registered with GoDaddy.
To learn more in regards to the TrickBot Trojan visit the ongoing collection on IBM’s X-Force Exchange.