Meet TrickBot, a relatively new banking Trojan believed to be a close relative of the old Dyre banker. According to researchers at Fidelis Cybersecurity, TrickBot, detected in September 2016 has a lot in common with Dyre.
In case you don’t remember, the Dyre operation was discontinued in November 2015 after Russian authorities raided a Moscow film distribution company. Even though it took some time for Dyre campaigns to stop, the frequency of spam distributing Dyre started to fade away after the intervention of the Russian police.
Now it appears that TrickBot is here to take the place of the devastating banker. Let’s see what the researchers say.
TrickBot Banking Trojan: Technical Overview
Because of the plentiful similarities, Fidelis researchers suspect that TrickBot is developed by the same team, or members of the team that was behind the Dyre operation:
In September 2016, Fidelis Cybersecurity was alerted to a new malware bot calling itself TrickBot that we believe has a strong connection to the Dyre banking trojan. From first glance at the loader, called TrickLoader, there are some striking similarities between it and the loader that Dyre commonly used. It isn’t until you decode out the bot, however, that the similarities become staggering.
The analyzed TrickBot campaign is based on webinjects that target banks in Australia. Interestingly, the banking Trojan is more likely a rewritten version, not an old one. While the bot performs very similar functions and activities, the code style is quite a bit different than the older Dyre code in several ways, researchers note. Some of the differences include the way the bot interfaces with TaskScheduler through COM instead of running commands directly; the bot uses Microsoft CryptoAPI instead of running SHA256 or AES routine; more C++ in the bot when compared to the original Dyre which was mostly coded in C.
On the other hand, researchers say that TrickLoader, the TrickBot module that infects the victim, is very much alike Dyre’s loader.
Based on these observations, it’s evident that there is a strong link between Dyre and TrickBot. However, it should be noted that TrickBot is not a copy-paste variant but instead displays a substantial new development. “With moderate confidence, we assess that one of more of the original developers of Dyre is involved with TrickBot”, researchers conclude.
The Similarities Trickbot shares with Dyre
The crypter in TrickBot is custom and was previously found in Vawtrak, Pushdo and Cutwail malware. As pointed out, the Cutwail spambot was deployed by the operators of Dyre in their spam campaigns.
The loader reminds a lot of Dyre’s loader, including a including x86 and x64 bot version and another section named x64 loader.
The loader simply checks if it is running on a 32 or 64bit system before decoding the appropriate resource section(s).
Even though there are many similarities with Dyre, TrickBot is more of a rewritten character.
This assumption is made based on old Dyre code, which would primarily use built-in functions for doing things such as AES and SHA256 hashing. In the recent samples identifying themselves as TrickBot, the code appears to be based on that old code but rewritten to use things such as Microsoft CryptoAPI and COM.
As already mentioned, TrickBot is currently targeting banks in Australia.
Since TrickBot is being spread in email spam campaigns, go through these tips to decrease the chances of an infection.
Anti-Spam Protection Tips
- Employ anti-spam software, spam filters, aimed at examining incoming email. Such software serves to isolate spam from regular emails. Spam filters are designed to identify and detect spam, and prevent it from ever reaching your inbox. Make sure to add a spam filter to your email. Gmail users can refer to Google’s support page.
- Don’t reply to dubious email messages and never interact with their content. Even an ‘unsubscribe’ link within the message body can turn out to be suspicious. If you respond to such a message, you will just send a confirmation of your own email address to cyber crooks.
- Create a secondary email address to use whenever you need to register for a web service or sign up for something. Giving away your true email address on random websites is never a good idea.
- Your email name should be tough to crack. Research indicates that email addresses with numbers, letters and underscores are tougher to crack and generally get less spam emails.
- View your emails in plain text, and there’s a good reason why. Spam that is written in HTML may have code designed to redirect you to unwanted pages (e.g. advertising). Also, images within the email body can be used to ‘phone home’ spammers because they can use them to locate active emails for future spam campaigns. Thus, viewing emails in plain text appears to be the better option. To do so, navigate to your email’s main menu, go to Preferences and select the option to read emails in plain text.
- Avoid posting your email address or a link to it on web pages. Spam bots and web spiders can locate email addresses. Thus, if you need to leave your email address, do it as it follows: NAME [at] MAIL [dot] com or something similar. You can also look for a contact form on the website – filling out that form shouldn’t reveal your email address or your identity.
And don’t forget to keep your anti-malware program running!
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter