We’ve been monitoring the banking trojan TrickBot since its appearance last summer.
During the past few months, the malware underwent several internal changes and improvements, such as more generic info-stealing, support for Microsoft Edge, and encryption/randomization techniques to make analysis and detection more difficult. Unlike the very fast expansion of banks targeted during the first few months of activity, this number remained rather constant since then… until two weeks ago.
Initially we saw PayPal appearing in the configuration, the first and only financial transaction website victimized by TrickBot so far which is not a traditional bank. A surprising development, but apparently just a little taste of what was coming next. Last Wednesday, we observed a change in the list of targeted banks which is probably the largest expansion in TrickBot’s history thus far.
Those familiar with TrickBot meanwhile know that the trojan features two different MitB injection techniques, similar to those as seen in the Dyre trojan: “Static Injection” to replace login pages by rogue ones, and “Dynamic Injection” to redirect browser requests to the C&C. Both injection configurations now contain banks located in at least 9 countries that were not part of the rather questionable list of TrickBot’s victims before.
In the Dynamic Injection list, the following French banks were added:
And one bank located in Bahrain:
The Static Injection list suddenly tripled from 109 bank login URLs to a whopping 333, and these are not only added entries – the list is in fact entirely different. A closer look reveals that everything in Australia, New Zealand, Singapore, India, and Canada disappeared – the only leftovers are banks from the UK and Ireland. Instead, new countries include Switzerland, France, Lithuania, the Netherlands, and Luxembourg, but particularly interesting for us as a Finnish company are the 40 new Nordic banks. These are the targeted Finnish domains:
The complete Static Injection configuration can be found here: https://gist.github.com/hexlax/e93f4b0ccbf54cea55b2084121b1b863
The Static Injection technique replaces the actual login page with a rogue version created by the attackers. Here a few examples – left is the original page, right is the TrickBot version.
There are only some very subtle differences: the Chrome icon on the upper right indicating that some elements on the page are not from a secure source, the slightly different date format at the bottom of the Nordea page… not exactly things that an average user pays attention to.
But just when you thought that the TrickBot authors provided us enough surprises… nothing could be further from the truth. Last Friday, all new entries in the Static Injection had disappeared again, which basically reverted the list to its previous state of 109 URLs. And the story is not over. Yesterday evening, another new version popped up, this time with 235 URLs, that’s about 100 less than before. Several UK banks that were added last week didn’t make it in the new list, but all Nordic banks did. In other words, TrickBot’s attack on the Nordic banks started last Wednesday, but was suspended over the weekend.
So why that rollback on Friday? Was the updated configuration a mistake by the authors? A test? The C&C could not handle the sudden rise of traffic? Or perhaps they just wanted an easy weekend? We can only guess, but it will be interesting to see which tricks this bot has in store.
By the way, these recent changes in the configuration are not a coincidence. New malware versions are often accompanied by a campaign – this time was no different. On Wednesday we observed large spam campaigns delivering TrickBot, which can be seen in the graph below. The spam was spread using the Necurs botnet, which is also quite remarkable as we have seen it only distributing a very limited number of malware families, such as Dridex and Jaff.
Again, the emails have a rather generic subject, but enough to attract the victim’s attention. A few examples of the spam content.
Opening the attached document eventually leads to launching a script which downloads the TrickBot binary, an infection chain we also found in recent campaigns delivering the ransomware Jaff. Since we had already detections for these documents in place, customers of our security products were protected.