Trickbot abuses big brands such as Bank of America and Wells Fargo in attacks on customers

The Trickbot malware is a thorn in the side of cybersecurity professionals and is now targeting customers of 60 major institutions in phishing attacks and web injections.

Trickbot started its journey as a relatively simple banking Trojan alongside Zeus, Agent Tesla, Dridex, and DanaBot. However, after the Dyre botnet was taken down in 2016 and the infrastructure supporting the prolific Emotet botnet was disrupted by Europol and the FBI last year, more attention has been paid to Trickbot’s activities.

The malware is modular, which means that users can adopt the software to carry out a wide range of attacks – and these attacks can be tailored according to the desired victims.

On February 16, Check Point Research (CPR) published a new study on Trickbot, noting that the malware is now being used in targeted attacks against customers of 60 “high profile” organizations, many of which are located in the United States.

The companies themselves are not the victims of the malware. Instead, TrickBot operators leverage brand reputations and names in many attacks.

According to CPR, brands abused by TrickBot include Bank of America, Wells Fargo, Microsoft, Amazon, PayPal, American Express, Robinhood,, and Navy Federal Credit Union, among others.

Financial organizations, cryptocurrency exchanges, and tech companies are all on the list.

The researchers also provided technical details on three key modules – out of approximately 20 that Trickbot can use – used in attacks and to prevent analysis or reverse engineering.

The first, injectDll, is a web injection module that can compromise a browser session. This module can inject JavaScript code into a browser to perform the theft of banking data and account credentials, for example by diverting victims to malicious pages that appear to belong to one of the legitimate companies mentioned above. above.

Additionally, the module’s web injection format uses a tiny payload that is obfuscated to prevent detection.

TabDLL uses five stages to steal information. The malicious code opens the memory of the LSASS application to store the stolen data, injects code into explorer.exe, then forces the victim to enter their login credentials before locking them out of their session. The credentials are then stolen and exfiltrated from LSASS using Mimikatz, before being transferred to the attacker’s command and control (C2) server.

Additionally, this module is also capable of using the EternalRomance exploit to stream Trickbot over SMBv1 networks.

The third module of note is pwgrabc, designed to steal credentials from applications such as Chrome, Edge, Firefox, and Internet Explorer browsers; Microsoft Outlook, FileZilla, TeamViewer, Git and OpenSSH.

“Trickbot remains a dangerous threat that we will continue to monitor, along with other malware families,” the researchers say. “No matter what awaits the TrickBot botnet, the painstaking efforts put into developing sophisticated TrickBot code will likely not be wasted, and the code will find its use in the future.”

In a separate research study published by IBM Trusteer in January, variants of Trickbot were discovered that contain new features designed to frustrate researchers attempting to reverse-engineer the malware.

Along with server-side injections and HTTPS C2 communication, Trickbot will launch into a loop if “code beautification” is detected – the automatic cleaning of code to make it more readable and easier to analyze.

Previous and related coverage

Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0

Comments are closed.