An Aggressive Launch: TrickBot Trojan Rises With Redirection Attacks in the UK

IBM X-Force researchers reported that new banking malware TrickBot is now fully operational and able to deploy two of the most advanced browser manipulation techniques: serverside injections and redirection attacks. While other Trojans like GozNym needed more time to prepare for such attack scenarios, TrickBot has been equipped with both capabilities from day one.

The TrickBot Trojan has been in development and testing for the past few months. At first not considered a banking Trojan per se, it became one when it implemented a webinjection mechanism in October 2016.

As of early November, X-Force researchers following the malware’s development noted that its operators launched attacks with two new configurations. This officially enabled redirection attacks against four banks in the U.K. An Australia-focused configuration is primarily concerned with serverside injections. Considering its aggressive start, however, X-Force Research expects to see TrickBot expand its target list and attack scope in the coming weeks.

 TrickBot’s D-Day: Adding UK Banks to the Mix

 During its initial testing infections, TrickBot primarily targeted banks in Australia, along with one Canadian bank and a regular expression (RegEx) URL for a digital banking platform common to regional banks in the U.S.

This scope changed almost overnight when TrickBot’s operators launched two new configurations in early November. The malware now targets the personal and business banking websites of financial institutes in the U.K., Australia, New Zealand, Canada and Germany.

This post was part of my work with IBM X-Force. Read the complete post here.