New Trojan malware campaign sends users to fake banking site that looks just like the real thing

Trickbot is now redirecting to a counterfeit site that displays the correct URL and the digital certificate of its genuine equivalent.
Written by Danny Palmer, Senior Writer

The Trickbot Trojan targets banks around the world.

Image: iStock

A notorious banking Trojan is targeting customers of a major bank with a new email spam campaign, which directs victims to a fake login page that's indistinguishable from that of their real bank.

The credential-stealing Trickbot banking malware has been hitting the financial sector since last year and targets online banking customers in in the US, UK, Australia, and other countries.

Those behind this particular banking Trojan are continually developing it and have even been experimenting with EternalBlue, the Windows exploit that helped spread WannaCry and Petya.

But no matter how advanced malware gets, phishing remains a common attack vector for distributing malicious payloads.

Uncovered by security researchers at Cyren, the latest Trickbot distribution campaign sent over 75,000 emails in 25 minutes, all claiming to be from Lloyds Bank, one of the UK's biggest banks.

Emails were sent with the subject 'Incoming BACs', a reference to BACS, a system that allows users to make payments directly from one email account to another. The emails claim that the target needs to review and sign attached documents.


A phishing email claiming to be from Lloyds used to distribute Trickbot.

Image: Cyren

After downloading and opening the Excel attachment 'IncomingBACs.xlsm', the user is asked to enable macros to allow the document to be edited. As with many malicious email campaigns, however, it's this process that allows the malware payload to be deployed.

In this case, the Trojan uses PowerShell to download an executable file, which eventually runs as 'Pdffeje.exe', the main TrickBot process, which installs the malware onto the machine.

Once a computer is infected with Trickbot, the malware runs in the background and waits for the victim to visit their online bank.

When they do so, Trickbot redirects them to a malicious site, which in this case is a fake version of the Lloyds website that looked exactly like the real thing -- complete with the correct URL of the online bank and a legitimate SSL certificate, so a user may not suspect they're being tricked.

"By using HTML and JavaScript, the malicious site is able to display the correct URL and the digital certificate from the genuine site on the malicious page," Sigurdur Stefnission, vice president of threat research at Cyren, told ZDNet.

By doing this, the attacker is able to see and steal the victim's online banking credentials and security codes, and make off with their funds and data.

While the fake sites resemble the real thing -- even showing the user the correct URL of the online bank and a legitimate SSL certificate so the user doesn't see anything unusual -- there's one major giveaway that the email isn't from Lloyds: the email address it is sent from is spelled incorrectly.

Instead of being from lloydsbank.co.uk, the message is sent from lloydsbacs.co.uk, a domain hosted by a Dutch IP address and a known source of spam.

"The protection of our customers is of paramount importance to us, and we remain committed to being vigilant and ensuring that our cyber security controls remain effective," a Lloyds Bank spokesperson told ZDNet.

"We encourage any customer who believes that they have been the victim of fraud to contact us at the earliest opportunity so that we can provide the appropriate support."

At its core, TrickBot remains similar to its predecessor, the data-stealing Dyre Troja, with its signature browser manipulation techniques.

While it isn't as prolific as the likes of Zeus, Gozi, Ramnit, and Dridex, researchers warn that Trickbot will continue to be "formidable force" in future, as its authors look to add more potent capabilities to better distribute this dangerous malware.

"TrickBot evolves and changes almost every day and targets new banks all over the world, so all banks should be on alert," said Stefnission.

It's currently not clear who is behind Trickbot, but the way the malware is continually evolving suggests it's the work of a well-organised, well-funded cybercriminal group.

Previous coverage

TrickBot banking Trojan steps up attacks against UK targets

IBM X-Force researchers warn that this sophisticated malware family is fast becoming one of the most prevalent forms of data-stealing banking Trojans

Dyre successor TrickBot attacks Australian banks

The old Dyre crew appear to have contributed to a new Trojan with updated, more devastating features.


Editorial standards