With a boost from Necurs, Trickbot expands its targeting to numerous U.S. financial institutions
The Necurs botnet first emerged in 2012 and has since become notorious for powering massive, malware-laden spam campaigns. Although the botnet’s historical association with Locky and Jaff Ransomware has long raised concerns from organizations across all sectors, Necurs is now delivering a different type of malware that poses a threat specifically to the financial sector: the Trickbot banking Trojan.
Trickbot has been responsible for man-in-the-browser (MitB) attacks since mid-2016, yet the malware’s webinject configuration has only targeted financial institutions located outside of the U.S. — up until now. Starting on July 17, 2017, Flashpoint observed a new, Necurs-powered Trickbot spam campaign containing an expanded webinject configuration developed to target and infect customers of international and U.S.-based financial institutions. The latest Trickbot campaign, known as “mac1,” targets customers of various institutions in the U.S., U.K., New Zealand, France, Australia, Norway, Swedish, Iceland, Finland, Canada, Italy, Spain, Switzerland, Luxembourg, Belgium, Singapore, and Denmark.
Upon infecting a machine, Trickbot initially creates a process using the “CREATE_SUSPENDED” flag before injecting its module and terminating the initial thread used to launch the Trojan.
Next, Trickbot creates a folder in %APPDATA%, copies itself there, adds an authroot certificate file in %TEMP%, and adds as a service update[.]job for persistence in the Windows Task folder. Trickbot then stores an encoded configuration module in the “resource” section of its binary and retrieves additional modules from its controller domains when needed.
Trickbot’s mac1 main configuration is as follows:
<autorun><module name=”systeminfo” ctl=”GetSystemInfo”/><module name=”injectDll”/></autorun></mcconf>
The certificate is set with the expiration date as follows:
The Trickbot’s server configuration is as follows:
Trickbot’s module configuration is as follows:
<needinfo name=”id”/><needinfo name=”ip”/>
<conf ctl=”dinj” file=”dinj” period=”20″/>
<conf ctl=”sinj” file=”sinj” period=”20″/>
<conf ctl=”dpost” file=”dpost” period=”60″/>
<module name=”systeminfo” ctl=”GetSystemInfo”/>
Trickbot also contains importDll32, mailsearcher32, systeminfo32, injectDll32, and outlookDl32 modules.
Flashpoint observed Trickbot’s mac1 static (“sinj”) and dynamic (“dinj”) webinject modules targeting customers of U.S. and international financial institutions in the following three formats:
Furthermore, Flashpoint’s malware analysis revealed significant similarities between the Trickbot banking Trojan and the Dyre banking Trojan. Indeed, Trickbot is considered to be Dyre’s successor. As such, it’s possible that Trickbot’s author may have either had deep knowledge of Dyre or simply re-used old source code. The Dyre cybercriminal syndicate has historically targeted various Western financial institutions including those located in the U.S., U.K., and Canada. Following a takedown by Russian law enforcement, the Dyre banking Trojan gang ceased operations in 2015; their old aliases have since disappeared from the underground.
Since the Trickbot banking Trojan’s mac1 campaign remains fueled by the powerful Necurs botnet, it will likely continue to evolve and target customers of U.S. and international financial institutions. Anti-fraud programs are an important part of many FI programs to detect and counter this threat to their customer base. As threats posed by malware such as Trickbot continue to emerge and their targets expand, it is crucial for all organizations and its users to be extra vigilant in their security practices.
The Trickbot mac1 Indicators of Compromise (IOCs) are available for download here.