This Banking Trojan Is Spreading Across the Globe, Hitting Both Banking & Cryptocurrency Users
The criminal gang behind the notorious banking malware, TrickBot, has been expanding its global reach targeting bank accounts in over 40 countries across the world. As more criminals start using cyberintrusion and malware to take over bank accounts, the TrickBot banking trojan has so far managed to impact users in Australia, Asia, and most recently in Latin America. A research report reveals that the criminal gang has been infecting machines across Latin America, including Argentina, Chile, Colombia and Peru.
The constantly evolving banking trojan remains a threat
Earlier in summer, a research report had revealed how Trickbot operators were able to send over 75,000 emails in just 25 minutes, purporting to be from the UK’s Lloyds Bank. Thanks to it displaying nearly-correct URLs and legit SSL certificates, more users fall for it entering their banking credentials.
TrickBot was first spotted last year in October when it hit banking institutions in Australia and then moved on to target users in the UK and Europe. Latest research report from IBM X-Force reveals that TrickBot - an evolving malware project - is being developed and operated by an organized cybercrime group that aims to have a global outreach, affecting almost all the continents now. They added that TrickBot has been the most active financial trojan spotted in the wild all summer, specifically targeting Latin America right now.
"At this time, the number of targets in Latin America is still small, but this strategy is typical for TrickBot’s operators, who test the waters before moving ahead to set up redirection attacks and add more banks to their target lists," the researchers said.
Recent configuration files analyzed by IBM X-Force Research show that TrickBot’s operators are still using redirection attacks for many of their targets. The ratio in recent campaigns, where TrickBot targeted banks in no less than 40 countries, was 60 percent webinjection attacks to 40 percent redirection attacks. Those are already active in all four countries in Latin America where TrickBot targets major banks. In the current cybercrime arena, according to X-Force research, the only other gangs to use redirection attacks are the operators of the Dridex and GootKit Trojans.
The malware is delivered to target users through phishing emails. Using a botnet, criminals managed to send over 40 million emails carrying the trojan per week. IBM security experts also said that email isn't the only way they are delivering the payload as they have started to experiment with other vectors as well, including serving malware through fake websites.
TrickBot banking trojan now has modules to target cryptocurrency users
Researchers note that the trojan operators aren't only aggressive about how they deliver the malware but also continue to evolve its capabilities. The infamous leaked NSA EternalBlue exploit has been used by the developers that enables the malware to "spread through enterprise networks, along with a new worm feature it adopted to fetch its payloads from malicious remote servers".
The attackers have apparently also added some new members to the team as the code changes reveal new modules designed to steal Outlook emails, browsing data, and has also started targeting cryptocurrency users. So far they have managed to empty wallets without leaving any traces behind hitting users on Coinbase and other platforms.
Evolving from just another banking trojan to a comprehensive tool that aims to attack both the conventional banking institutions and cryptocurrency, TrickBot is a growing headache for infosec experts. While some have associated popular banking malware families to North Korea and other nation states, it is still unknown who is behind this elaborate campaign.