Churn Under the Surface of Global Cybercrime

Global cybercrime actors generally adhere to the same principal as a handyman: If it’s not broken, don’t fix it. But that’s not so easy when malware works in one area and attackers want to use it to target a new audience or geography.

Moving malware across borders to a new target geographic means more resources for everything, from a relatively easy change to the malware configuration file to the acquisition of new target email lists, new spam delivery mechanisms, an understanding of local banks’ authentication requirements, new local money mules and the development of webinjections to correspond with the transaction flow for each target.

Testing the Waters

After the initial investment and establishment of a connection with local crime factions, the time comes to launch actual infection and attack campaigns. To test the waters, cybercrime gangs deploy small rates of infections in a new geography and check the malware’s operation to ensure success before ramping up to a large deployment. They do that to estimate the potential for success in the new geography, reduce the risk that they will be caught early on and, for astute observers, foreshadow a bigger boom in the malware.

The crew operating TrickBot, which emerged in August 2016, launched the malware during a testing and development period to turn it into a banking Trojan and work out the bugs before its actual deployment in the U.K. and other English-speaking countries. It then promptly moved to Germany.

Growing Attack Sophistication, or Just Growing Attacks?

Dear reader: this post and the paper it leads to are both part of my research work at IBM X-Force. You can go to the original post here and obtain the paper there as well.