Several security researchers have spotted an increase in malware campaigns distributing the TrickBot banking trojan, going after a host of targets ranging from regular e-banking applications to PayPal accounts and business CRMs.
The TrickBot banking trojan is a relatively new threat that appeared on the malware scene in September 2016, and which many researchers have called the unofficial successor of the Dyre banking trojan, which ceased its activity in the winter of 2015-2016 after Russian authorities raided the headquarters of a Russian company.
Right from the get-go, the trojan was more of an upgrade and continuation of previous Dyre versions, and not just a lame off-shoot.
After the initial TrickBot version, its authors continued to work on the malware. Campaigns spreading TrickBot intensified with time, as the malware coders added support for more fake login screens, used to steal credentials for users across more and more countries.
Initial TrickBot campaigns only targeted users of Australian banks, but by April 2017, TrickBot has spread to banks in the UK, the US, Germany, Ireland, New Zealand, Canada, Switzerland, and France.
Distribution campaigns spreading this new threat appear to have spiked in June. Campaigns have been detected by security researcher Brad Duncan [1, 2] and cyber-security firms such as F5 Networks, PhishMe, and PwC.
This new wave of attacks uses email spam to spread the trojan. The technique these emails use is also quite new, seen previously with the Jaff ransomware.
The technique relies on sending users a PDF file, which lures users into opening a Word file and then asks them to enable macros to view the file's content.
This is a very complicated and lengthy social engineering attack, as it requires users to read the email, download the file, click to open another file, and then enable macros by bypassing a security alert. While you may think this is a complex and less effective routine, data gathered by IBM X-Force reveals that TrickBot is today's 8th most successful banking trojan, with a market share of 3% of all detections, up from 1% a few months back.
Besides targeting banks, F5 experts say they found TrickBot configurations that target more than banks. These new TrickBot versions target the CRM (Customer Relationship Manager) applications of two high-profile SaaS providers (Salesforce and Reynolds & Reynolds).
In addition, TrickBot also comes configured to show fake login pages for 35 PayPal login URLs.
Furthermore, banks in Bulgaria, Singapore, India, and the Netherlands have been added to TrickBot's ever-growing list of targeted financial institutions.
Back in September 2016, when they first spotted the connections between Dyre and TrickBot, Fidelis researchers said "that one of more of the original developers of Dyre is involved with TrickBot."
A similar opinion was expressed by Malwarebytes a month later when the company's researchers said that "many links indicate, that this bot is another product of the people previously involved in Dyreza."
The subsequent TrickBot distribution campaigns and the trojan's rapid evolution have proven both companies to be right, meaning that someone with extensive expertise in developing banking trojans is behind this threat. TrickBot developed far quicker than many expected and is becoming one of the top banking trojans available on the market today, just like Dyre was before disappearing.