But that isn't enough targets for the cybercriminal operation behind the scheme, as cybersecurity researchers at IBM X-Force say the hackers are targeting a growing list of business banks -- including a UK-based one described as "among the oldest banks in the world".
In total, TrickBot has added 20 new banks to its list of UK targets, along with eight building societies. Although the malware predominantly targets institutions in the UK and Australia, other new targets include two Swiss banks, financial firms in Germany and four investment banks in the United States. Targets even include a Sharia law-compliant bank.
The attacks are few in number and highly targeted, but the perpetrators appear to be growing in confidence: the attack frequency rose from one to three per month during the first quarter of this year (average 2.3), to five so far in April.
However, in the case of attacks against UK banks, TrickBot has added redirection attacks, in which, instead of malicious code being injected into the target website, victims are redirected to a fraudulent version of it.
This fake website looks exactly like the target bank's website -- even suggesting it has a Secure Sockets Layer (SSL) certificate. Anyone who enters their details into this fake site falls right into the hands of cyberthieves, who can use the credentials to steal funds or carry out fraud.
Climbing the malware charts
While TrickBot barely scrapes into the top ten most prevalent financial malware families (an arena dominated by infamous names such as Zeus, Gozi, Ramnit and Dridex), its sophistication, and the fact it concentrates on high-value targets, makes it particularly dangerous.
Indeed, TrickBot's potency leads Limor Kessem, executive security advisor at IBM, to suggest that it'll force its way into becoming one of the very top financial malware families over the coming months.
"As the year progresses, I expect to see TrickBot climb up the global chart of financial malware families, reaching a similar magnitude as the Dridex Trojan and possibly outnumbering Dridex attacks by year's end," she says.
While it remains uncertain who is behind the TrickBot attacks, IBM researchers suggest that the malware is "undoubtedly" the work of professional cybercriminals who have been involved in banking Trojan attacks for some time.
Due to the experienced nature of the actors behind it, researchers warn that TrickBot will only become more sophisticated and harder for banks to spot.