TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets

** This post was written with IBM X-Force researchers Ophir Harpaz and Magal Baz** 

The TrickBot Trojan has been a rising global threat in the cybercrime arena ever since its emergence in late 2016. The organized cyber gang that operates TrickBot has been widening its scope of activity to dozens of countries across the globe. It has been targeting financial entities, such as banks and credit providers, and focusing on business and private banking as it aims for hefty fraudulent transfer bounties.

But this is not where TrickBot’s diverse interests stop. As the value and popularity of cryptocurrency continues to rapidly rise, so does this cyber gang’s interest in obtaining cryptocoins in the easiest way possible: theft. TrickBot configurations have featured popular cryptocurrency exchange URLs since about mid-2017, and we at IBM X-Force have been looking at the malware’s most recent attack schemes to steal coins from infected users.

There are several types of cryptocurrency platforms, each offering a variety of services, such as trading one coin for another, transferring coins between different wallets and buying coins with a credit card. According to our analysis, TrickBot is actively targeting one such service that enables users to purchase bitcoin and bitcoin cash by credit card.

The attacks we have looked into are facilitated by TrickBot’s web injections, getting in the middle of the flow of a legitimate payment card transaction. In the normal payment scenario, a user looking to buy coins provides his or her public bitcoin wallet address and specifies the amount of bitcoin to purchase. When submitting this initial form, the user is redirected from the bitcoin exchange platform to a payment gateway on another domain, which is operated by a payment service provider. There, the user fills in his or her personal information, as well as credit card and billing details, and confirms the purchase of coins.

This is where TrickBot hijacks the coins. This particular attack targets both the bitcoin exchange website and that of the payment service to grab the coins and route them to an attacker-controlled wallet.

Want to read how the rest of that process unfolds? Check out the original publication here.