TrickBot Spreads to the Nordics, Launches Redirection Attacks in France

This post was co-authored with IBM X-Force's Matan Meir.

---

IBM X-Force Research detected a new wave of TrickBot attacks targeting banks in Nordic countries. The malware expanded its configurations to launch fraud attacks against banks in Sweden, Finland, Norway, Denmark and Iceland, among the other geographies it targets.

Moreover, the malware, which has been testing redirection attacks on one bank in France, now targets 28 brands in the country, focusing on corporate, investment and private banking firms.

TrickBot Takes Aim at New Targets

The TrickBot banking Trojan’s operators have been working hard this year, employing sophisticated redirection attacks against banks across the globe. IBM X-Force data revealed that they also doubled their activity between the first two quarters of 2017, modifying the code to evade detection and launching infection campaigns in different parts of the world.

Aside from the Nordics and France, TrickBot configurations target banks in 24 countries, including:

• U.K. (36 percent);
• France (10 percent);
• Sweden (9 percent);
• Switzerland (6 percent);
• U.S. (6 percent);
• Finland (6 percent);
• Norway (5 percent);
• Canada (4 percent);
• Australia (4 percent);
• Ireland (2 percent);
• Denmark (1 percent);
• Singapore (1 percent);
• Germany (1 percent);
• Lebanon (1 percent);
• Luxembourg (1 percent);
• Austria (1 percent);
• Belgium (1 percent);
• Lithuania (1 percent); and
• Hong Kong, Bulgaria, Spain, Israel, Iceland and Tahiti (under 1 percent)

Keep in mind, these numbers are for the current campaigns and will change over time. Configuration files are moving parts of any banking Trojan and can be modified rather frequently. TrickBot possesses a dedicated configuration to target banks in Australia, Canada, Germany and the U.S., to name a few.

Read more of this post here.