Labs - Malware Analysis

Analyzing TrickBot, a banking malware for Windows

Written by David García | Jan 8, 2020 9:14:00 AM

Although it is true that malware attacks have been changing in recent years, a large part of them is still used to steal victims' banking credentials.

In recent months ransomware attacks have become very popular, since the benefit that attackers can obtain is usually greater than the benefit obtained through malware focused solely on the theft of banking information. In addition, the risk is lower, since using the stolen credentials for the end theft of money involves a greater risk, except in cases where the stolen credentials are sold on the 'deep web'.

In addition to the risks for attackers, technology has also advanced in recent years, and users have dual authentication factors, whether by SMS, biometric data or using any other mechanism. These mechanisms are designed to hinder the use of stolen credentials, verifying that it is indeed the user who is trying to log in or make a transaction.

That is why file hijacking attacks have become so popular. In addition to having fewer risks and problems when it comes to obtaining the economic benefit, they are also easier to execute. As we will see, the complexity of banking malware for Windows is very high compared to the ease of ransomware development.

We are going to examine the operation of one of the most popular banking malwares: 'TrickBot'. As we can see on the graph below, every hour an average of 200 samples of this banking Trojan are analyzed on VirusTotal.

The techniques used by this banking malware are commonly used by other banking Trojans to steal logon credentials, not only for bank accounts, but also for other services of interest, such as Amazon.

If you are interested in continuing to read the full malware analysis you can download.