TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets
** This post was written with IBM X-Force researchers Ophir Harpaz and Magal Baz**
The TrickBot Trojan has been a rising global threat in the
cybercrime arena ever since its emergence in late 2016. The organized cyber gang
that operates TrickBot has been widening its scope of activity to dozens of
countries across the globe. It has been targeting financial entities, such as
banks and credit providers, and focusing on business and private banking as it
aims for hefty fraudulent transfer bounties.
But this is not where TrickBot’s diverse interests stop. As
the value and popularity of cryptocurrency continues to rapidly rise, so does
this cyber gang’s interest in obtaining cryptocoins in the easiest way possible:
theft. TrickBot configurations have featured popular cryptocurrency exchange
URLs since about mid-2017, and we at IBM X-Force have been looking at the
malware’s most recent attack schemes to steal coins from infected users.
There are several types of cryptocurrency platforms, each
offering a variety of services, such as trading one coin for another,
transferring coins between different wallets and buying coins with a credit
card. According to our analysis, TrickBot is actively targeting one such
service that enables users to purchase bitcoin and bitcoin cash by credit card.
The attacks we have looked into are facilitated by
TrickBot’s web injections, getting in the middle of the flow of a legitimate
payment card transaction. In the normal payment scenario, a user looking to buy
coins provides his or her public bitcoin wallet address and specifies the
amount of bitcoin to purchase. When submitting this initial form, the user is
redirected from the bitcoin exchange platform to a payment gateway on another
domain, which is operated by a payment service provider. There, the user fills
in his or her personal information, as well as credit card and billing details,
and confirms the purchase of coins.
This is where TrickBot hijacks the coins. This particular
attack targets both the bitcoin exchange website and that of the payment
service to grab the coins and route them to an attacker-controlled wallet.
Want to read how the rest of that process unfolds? Check out the original publication here.
Comments
Post a Comment