TrickBot banking Trojan is the next big threat

After months of testing, a new banking Trojan called TrickBot is being aggressively slung at owners of personal and business bank accounts in UK and Australia.

Trickbot Trojan

TrickBot’s tricks

TrickBot is fully operational and deploys two advanced browser manipulation techniques – server-side injections and redirection attacks – to compromise banking sessions.

It’s effectiveness was first tested by its creators last month, and November witnessed the launch of two new configurations of the malware – one targeting customers of four banks in the UK with redirection attacks, the other hitting Australian bank account owners with server-side injections.

Users of financial institutions in New Zealand, Germany and Canada are also targeted, but still minimally.

Delivery methods

The malware peddlers’ choice of delivery methods points to a preference for compromising business bank accounts.

“They have been sending malware-laden spam to companies, not just indiscriminate waves of email,” noted IBM executive security advisor Limor Kessem. They’ve also been trying out the Rig exploit kit.

The researchers say that TrickBot has similarities with the Cutwail botnet’s malware and uses the same crypter as Vawtrak, Pushdo and Cutwail.

“The Cutwail botnet was, coincidentally, also one of Dyre’s distribution methods during the time it was active,” they pointed out, adding that that might not be a coincidence, and that they believe that TrickBot was “likely either built by parts of the Dyre team or by someone who values this nefarious project and aims to build a similar beast.”

As they see it, TrickBot is poised to become the next big threat, and a serious contender in the banking malware market.