Trickbot abuses top brands including Bank of America, Wells Fargo in attacks against customers

Trickbot malware is a thorn in the side of cybersecurity professionals and is now targeting the customers of 60 major institutions in phishing attacks and through web injections. 

Trickbot began its journey as a relatively simple Banking Trojan alongside the likes of Zeus, Agent Tesla, Dridex, and DanaBot. However, after the Dyre botnet was retired in 2016 and the infrastructure supporting the prolific Emotet botnet was disrupted by Europol and the FBI last year, more attention has been paid to Trickbot activities. 

The malware is modular, which means that users can adopt the software to conduct a wide range of attacks – and these assaults can be tailored depending on the desired victims.

On February 16, Check Point Research (CPR) published a new study on Trickbot, noting that the malware is now being used in targeted attacks against customers of 60 “high profile” organizations, many of whom are located in the United States. 

The companies themselves are not the victims of the malware. Instead, TrickBot operators are leveraging the brands’ reputations and names in numerous attacks. 

According to CPR, the brands being abused by TrickBot include the Bank of America, Wells Fargo, Microsoft, Amazon, PayPal, American Express, Robinhood, Blockchain.com, and the Navy Federal Credit Union, among others. 

Financial organizations, cryptocurrency exchanges, and technology firms are all on the list. 

The researchers have also provided technical details on three key modules – out of roughly 20 that Trickbot can use – used in attacks and to prevent analysis or reverse-engineering. 

The first, injectDll, is a web injection module that can compromise a browser session. This module can inject JavaScript code into a browser to perform banking data and account credential theft, such as by diverting victims to malicious pages that appear to be owned by one of the legitimate companies mentioned above. 

In addition, the module’s web inject format uses a tiny payload that is obfuscated to prevent detection.   

TabDLL uses five steps to steal information. The malicious code opens up LSASS application memory to store stolen data, injects code into explorer.exe, and then forces the victim to enter login credentials before locking them out of their session. The credentials are then stolen and exfiltrated from LSASS using Mimikatz, before being whisked away to the attacker’s command-and-control (C2) server. 

Furthermore, this module is also able to use the EternalRomance exploit to spread Trickbot across SMBv1 networks. 

The third module of note is pwgrabc, designed to steal credentials from applications including the Chrome, Edge, Firefox and Internet Explorer browsers; Microsoft Outlook, FileZilla, TeamViewer, Git, and OpenSSH. 

“Trickbot remains a dangerous threat that we will continue to monitor, along with other malware families,” the researchers say. “No matter what awaits TrickBot botnet, the thorough efforts put into the development of sophisticated TrickBot code will likely not be lost and the code would find its usage in the future.”

In a separate research study published by IBM Trusteer in January, variants of Trickbot have been discovered that contain new features designed to hamper researchers trying to analyze the malware through reverse-engineering. 

Alongside server-side injections and HTTPS C2 communication, Trickbot will throw itself in a loop if ‘code beautifying’ is detected – the automatic clean-up of code to make it more readable and easier to analyze.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0