Don’t Blink! TrickBot Now Targets 10 German Savings Banks

IBM X-Force researchers following the development of the TrickBot Trojan noted that the malware is rapidly adding new targets and attack capabilities and has now officially advanced into Germany. The most recent additions to TrickBot’s configurations target 10 savings banks in the European country.

At this time, TrickBot is configured to use serverside webinjections on the targeted banks. Although TrickBot’s initial configurations featured only one bank in Germany, that has since changed. Now, with a total of 10 banks on its attack roster, it is clear that the malware’s operators invested in adapting spam and infection tools, as well as the webinjection attacks, to German-speaking customers.

The fact that TrickBot is only targeting savings banks raises the possibility that the criminals operating it have found a vulnerability common to those banks’ digital platforms or transaction authorization processes. The German bank targets are reminiscent of GozNym’s launch in Poland, during which the Trojan targeted numerous banks in the country, many of which were co-operative banks. GozNym itself has been targeting banks in Germany since August 2016.

Cybercrime in Germany

 Germany, a founding member of the European Union (EU), is the largest national economy in Europe and the fourth largest economy by nominal gross domestic product (GDP) in the world. According to a Center for Strategic and International Studies (CSIS) report, cybercrime taxes the global economy with about 0.8 percent in relation to GDP. Germany suffers twice that rate — 1.6 percent. Since the country’s GDP was $3.84 trillion in 2015, cybercrime in the country may outpace its annual growth, which was 1.5 percent in 2015. This could potentially amount to $61.4 billion in losses.

In 2014, KPMG estimated that cybercrime losses in the country exceeded $58 billion in two years. Additionally, a Ponemon Institute study conducted in 2015 ranked Germany second on the list of countries where businesses see the highest losses from cybercriminal attacks. German companies lost an average of $7.5 million in each attack.

X-Force researchers indicated that members of German underground and Dark Web forums prolifically discuss banking and payment card fraud. The German underground is also replete with traders and peddlers of crimeware, accomplice searches, cybercrime services and fraud commodities sold by local criminals or Russian-speaking actors.

This post was part of my work with IBM X-Force. Read the complete post here.