TrickBot Habla Español: Trojan Widens Its Attack Scope in Spain
The
TrickBot Trojan has been steadily ramping up its activity this year, going into
a rather intensive period of updates and attacks that started in Q2 2017. From
the looks of it, TrickBot’s operators have been investing heavily into widening
the scope of their attacks and are preparing redirection attacks against banks
in 19 different countries.
After
adding French and Nordic banks, the latest additions to TrickBot’s target list
are Spanish banks. While the malware had previously targeted only one bank in
Spain, it now targets six brands in the country, complete with redirection
attacks. Some banks on the list are smaller entities, suggesting that TrickBot
is keeping a low profile to test out the country’s banking system before moving
on to a wider campaign.
Other
countries where TrickBot deploys redirection attacks at this time include
Australia, Canada, Denmark, Finland, France, Germany, Ireland, Israel,
Lithuania, Luxembourg, Netherlands, New Zealand, Norway, Singapore, Spain,
Sweden, Switzerland, United Arab Emirates, the U.K. and the U.S. TrickBot is
the first and only banking Trojan to cover this many geographies and language
zones with redirection schemes, an attack type known to be more
resource-intensive to produce and maintain than dynamic web-injection schemes.
Businesses, Investment and Private Banking
TrickBot’s
operators continue to focus their efforts on the business sector, investment
banking and high net-worth individuals who hold accounts with private banks and
wealth management firms. It’s clear that TrickBot is after big money, and it’s
important to keep in mind that its operators likely possess the expertise to
obtain large amounts of stolen funds, move them on and launder them.
Starting
June 2017, IBM X-Force researchers observed that alongside malware such as
Dridex, Locky and Jaff, TrickBot’s operators were using the Necurs botnet to
deliver their malware in massive email spam infection campaigns that often
launch millions of malicious emails a day.
TrickBot
has been varying the types of files and attachments it comes inside to evade
automated detection. The latest ploy is informing potential victims that they
have a verified DocuSign document they need to open.
Why Redirect?
More
than just fitting targeted webpages with HTML or JavaScript injections, many of
TrickBot’s targets are fitted with customized redirection attacks — the most
advanced method to manipulate what victims see on their browsers.
In
simple redirection of browsing to a different page, the user sees the switch to
the next website and can observe the change in URL. This is not what happens in
TrickBot’s case. Malware redirections hijack the victim to a fake website
hosted on separate servers before he or she even sees the destination page.
In
parallel, the malware contacts the bank’s genuine webpage and keeps a live
connection with it. That way, the fake page displays the bank’s correct URL in
the address bar, as well as the bank’s genuine digital certificate. The user is
unlikely to notice any difference or suspect that he or she reached a malicious
site. The only thing that can tip off a victim is an altered flow of events
that takes place on the fake site. At that point, the victim should close the
browsing window and call his or her bank to inquire about the out-of-the-ordinary
process the malware asked them to complete.
The
redirection M.O. is used to bypass bank security measures by hijacking the
victim to a malicious website before he or she ever reaches the bank’s site. By
seamlessly moving infected victims away from the bank’s genuine website, the
malware’s operator can switch to using webinjections to steal login details,
personally identifiable information (PII) and critical authentication codes on
the replica site — all without the bank knowing that the customer’s session has
been compromised or discovering the flow of events on the fake site.
Redirection
attacks are most often identified with the resources and capabilities of
organized cybergangs because of the extra setup required to create and maintain
them for each unique target. According to X-Force research, the Trojan
redirection technique surfaced in 2014, when the Dyre gang launched it against
banks in the U.K.
Get IOCs and read on here.
Comments
Post a Comment