TrickBot Trojan: Attack and Protection

Posted by David García - 13/11/2017

TrickBot seems to be one of the most popular Trojans these days and, as we could expect, our customers at bugFraud have also come across it.

This banking trojan continues to be quite active on the Internet today.

We have classified TrickBot into Dyre Family due to the number of design and architectural features this malware shares with this family, such as Webinject modules or Webinjects themselves. Both used against banks.

Since summer 2017, Nordic countries, Spain and the USA have been the main targets for Malware. Additionally, we have oberved a significant impact on LATAM countries.

TrickBot affect its victims in 2 differents ways: Webfakes and WebInjects.

 

WebFakes

It´s a tecnique that redirects the victim to a malicious server controlled by cybercriminals when the user intends to access their online banking website.

The online banking user does not get to log into their real website but into a fake one instead. Cybercriminals can then take control of the user´s account. In addition to this, they can even decepteively require additional information to be later sold on the black market.

The only genuine requests from the original entity´s server shows a security certificate which “proves” the website´s legitimacy.

The detection of this type of attacks from the server´s side is very complicated. Following are some of the possible solutuions

  • Incomplete requests detection on server log in. For example, the request of a SSL certificate when the customer has not downloaded any content or web resources.
  • Code injection (input) into the bank´s web which warns about its execution from an external site and that, passing unnotice, it is included in the copy of the fraudulent site.
  • Biometric behaviour solutions in the event of account theft attempt, by detecting fraudulent access.

bugFraud considers biometric behaviour to be the best solution as it can not be easily detected and replicated by cybercriminals. The rest of the tecniques can be detected and manipulated in a simpler way.

The bugFraud biometric behaviour system detects every attempt to use stolen credentials by cybercriminal and is able to stop or warn about the inappropiate use of the accounts of bank customers.

 

WebInjects

These attacks are based on web alteration that allows cybercriminals to carry out several actions such as collecting credentials, retrieving specific information from a victim or even making transfers to mule accounts.

Such changes are made to the users code which is intrpreted by the browser, on HTML or JS for instance.

There are several approaches to making the injection attack: 

  • Client Side Injections: these attacks began to be performed from the victim´s side, by downloading a configuration file from a malicious server containing all the injections and differents attacks to banking entities.
  • Server Side Injectios: currently, TrickBot is performing a type of attack in wich when users accesses an online banking website,the malware sends the response over to the cybercriminals server which then returns the original response from the bank along with the malicious injection.

Below we show one of the latest injections detected by our fraud online banking researchers and the similarity between two different injections that can affect different banks. Fig.A sample of Dyre detected in 2015 Fig.B sample of TrickBot Trojan in this year:

diff1.png

Dyre (2015)

 

diff2.png

TrickBot (2017)

In the specific injection analyzed, the “document.referrer” it is stored in a cookie “thnz_referrer” and in a variable, next to the window´s tittle. Later, it use a form for “invited” the victims to enter theirs crendentials.

Finally, all information is sent to the cybercriminal control panel.

These type of attacks are being detected by bugFraud, due to we are able to detect them actively when user is being affected in real time. However, banks may also detect this attack by use of a certain cookie. Although at any time, the fraudster could make the cookie Dynamic, change it or delete it.

 

For more information:

https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/

https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/

https://f5.com/labs/articles/threat-intelligence/malware/trickbot-rapidly-expands-its-targets-in-august-shifting-focus-to-us-banks-and-credit-card-companies

 

Topics: malware

 

 

Deep Learning for Online Fraud Prevention


recent posts

The future of infections: Autonomous malware

read more

Brain hacking II: Getting over the firewall

read more

A new banking Trojan, BANKER RTC PORTAL, attacks Latin American and European banks

read more