The Trickbot banking Trojan has received an August 2018 update which adds a new code injection module. The infamous malware has remained active over the years as one of the most prominent Trojans used for financial crimes. The newly added component reveals that its development has not stalled and that we can anticipate further updates as well.
The August 2018 Trickbot Banking Trojan Distribution Methods Remain the Same
The Trickbot banking Trojan in it’s August 2018 release is being distributed using infected payloads. The main method used by the majority of attackers appear to be email phishing messages that either include the malware files as attachments or linked in the body contents. The emails are designed to appear as being sent by a well-known Internet company or service. The payloads are usually documents (rich text documents, spreadsheets, presentations or databases) that make use of malicious macros. Once they are opened a notification prompt will appear asking the users to enable the scripts. When this is done the infection will follow.
Other techniques that can be used to spread such threats include the following:
- File Sharing Networks — A large percentage of virus infections (including Trickbot banking Trojan) can be caused by downloading files from file sharing networks such as BitTorrent. They are well-known for spreading pirate and illegal content.
- Fake Download Sites — The criminals can create malicious sites that utilize the design elements of well-known Internet portals or vendor download sites.
- Browser Hijackers — Malicious users can embed the virus code into plugins made for the most popular web browsers. They are usually uploaded to the relevant repositories by using fake user reviews and an elaborate description. Such techniques coerce the users into installing the plugins by promising them newly added functionality or other extras that are not available. The name “browser hijacker” comes from the premise that upon installation a built-in pattern is executed — the default settings will be changed to redirect the victims to a hacker-controlled page. After this the virus infection will be triggered.
After the malicious macros are executed a PowerShell script will be downloaded and run. This action will trigger the delivery of an obfuscated version of the Trickbot banking Trojan.
August 2018 Trickbot Banking Trojan Changes: What’s New
After the Trickbot banking Trojan is acquired on the infected host the newly implemented stealth code injection will be run. It will sleep the infection for a set time (30 seconds). This is a technique that can evade signature scans used by security software such as anti-virus solutions, sandbox environments and virtual machine hosts. Their real-time engines can be bypassed or entirely removed by the malicious code.
The actual decryption of the obfuscated Trickbot banking Trojan is run after the stealth protection code has complete. The newer version of the malware uses direct system calls which is similar to Flokibot, a variant of Zeus. This shows that the hackers behind the new Trickbot banking Trojan release might have used several different code sources.
The threat retains the ability to hook up to system services and user-installed applications. This type of malware focuses on several key areas:
- Data Theft — Trojans usually include a component that tracks the strings entered by the users. Whenever a value of interest is revealed it can be transmitted automatically to the hackers. Most of them aim target private user data that can expose their identity and can be abused — their name, address, interests, location and passwords.
- Phishing Mechanics — Using built-in instructions the banking Trojan can present fake login pages to popular services as they are entered in the web browsers.
- Hacker Control — By connecting to a hacker-controlled server the malicious operators will be able to spy on the users in real-time, overtake control of the hosts and deploy other threats.
The fact that work on the Trickbot banking Trojan continues long after its initial release shows that many criminal groups continue to rely on several main malware families in coordinating large-scale infection campaigns.