A new banking baddie on the block, TrickBot, has emerged as part of the larger trend by organized crime to aggressively target major financial institution applications.
As with the SWIFT financial network and automated teller machine (ATM) networks, online banking applications remains a vulnerable and primary target for criminal cyber-attackers. But it appears the perps may be going back to the well for code, because TrickBot shares much in common with the Dyre malware, which became notorious in late 2014 and early 2015.
“This assumption is made based on old Dyre code, which would primarily use built-in functions for doing things such as AES and SHA256 hashing,” explained Fidelis threat researcher Jason Reaves, in a blog. “In the recent samples identifying themselves as TrickBot, the code appears to be based on that old code but rewritten to use things such as Microsoft CryptoAPI and COM.”
In November 2015, the Dyre banking trojan seemingly disappeared overnight, surprising security researchers worldwide. Months later it was announced that Russian authorities had arrested most of the gang responsible for its operations.
“Since then, nothing has been heard from those actors but the speculation was that some of programmers and other elements of the criminal operation would be subsumed into other cybercriminal operations,” Reaves said.
TrickBot may share much, but the capabilities appear to have gotten an upgrade.
“Financial institutions and their users remain in the center of the bullseye for sophisticated cyber-attackers,” said Moshe Ben Simon, TrapX co-founder and vice president of services and TrapX Labs. “TrickBot shares many common similarities with Dyre, but also sports new capabilities. Given the increased efficacy of TrickBot, and the sophisticated upgrades it brings to the cyber-war, we believe that it becomes almost impossible for banks and their customers to keep these attackers out of their networks. In order to stop these sophisticated cyber-attacks, banks must look to new technologies that can find these perpetrators inside their networks after they have penetrated their primary cyber defenses.”
That said, TrickBot appears to be in its toddler stages. In initially testing TrickBot, which for the moment has shown up in attacks against Australian banks, Reaves saw that it came with a single module called GetSystemInfo. As the name suggests, this appears to be entirely geared towards harvesting system information—indicating that the criminals behind the bot are still testing its efficacy. Last week though, Reaves uncovered a new version with a browser inject module.
“It does appear as though the injects are still being tested and possibly added as they convert them over to the new structure,” Reaves said. “This setup does fall in line with how Dyre had its config separated out though…It’ll be interesting to see if TrickBot can reach or pass its predecessor.”
Reaves said that whoever is behind TrickBot is pushing to rebuild a Cutwail botnet in preparation for future spam runs.
Photo © Shamleen