TrickBot banking Trojan steps up attacks against UK targets

IBM X-Force researchers warn that this sophisticated malware family is fast becoming one of the most prevalent forms of data-stealing banking Trojans
Written by Danny Palmer, Senior Writer

VIDEO: UK banks are TrickBot Trojan's favorite new targets

A sophisticated Trojan malware operation is targeting financial organisations across the globe -- but with a particular focus on the UK banking sector.

The credential-stealing TrickBot banking trojan has been plaguing the financial sector since last year, targeting private banks, private wealth management firms, investment banking, and even a retirement insurance firm.

But that isn't enough targets for the cybercriminal operation behind the scheme, as cybersecurity researchers at IBM X-Force say the hackers are targeting a growing list of business banks -- including a UK-based one described as "among the oldest banks in the world".

In total, TrickBot has added 20 new banks to its list of UK targets, along with eight building societies. Although the malware predominantly targets institutions in the UK and Australia, other new targets include two Swiss banks, financial firms in Germany and four investment banks in the United States. Targets even include a Sharia law-compliant bank.

The attacks are few in number and highly targeted, but the perpetrators appear to be growing in confidence: the attack frequency rose from one to three per month during the first quarter of this year (average 2.3), to five so far in April.


TrickBot campaigns per month during 2017

Image: IBM Security

At its core, TrickBot remains similar to its predecessor, the data-stealing Dyre Trojan, with its signature browser manipulation techniques.

However, in the case of attacks against UK banks, TrickBot has added redirection attacks, in which, instead of malicious code being injected into the target website, victims are redirected to a fraudulent version of it.

This fake website looks exactly like the target bank's website -- even suggesting it has a Secure Sockets Layer (SSL) certificate. Anyone who enters their details into this fake site falls right into the hands of cyberthieves, who can use the credentials to steal funds or carry out fraud.

Climbing the malware charts

While TrickBot barely scrapes into the top ten most prevalent financial malware families (an arena dominated by infamous names such as Zeus, Gozi, Ramnit and Dridex), its sophistication, and the fact it concentrates on high-value targets, makes it particularly dangerous.


The top most prevalent financial malware families

Image: IBM Security

Indeed, TrickBot's potency leads Limor Kessem, executive security advisor at IBM, to suggest that it'll force its way into becoming one of the very top financial malware families over the coming months.

"As the year progresses, I expect to see TrickBot climb up the global chart of financial malware families, reaching a similar magnitude as the Dridex Trojan and possibly outnumbering Dridex attacks by year's end," she says.

While it remains uncertain who is behind the TrickBot attacks, IBM researchers suggest that the malware is "undoubtedly" the work of professional cybercriminals who have been involved in banking Trojan attacks for some time.

Due to the experienced nature of the actors behind it, researchers warn that TrickBot will only become more sophisticated and harder for banks to spot.

The very nature of banks, and the fact they store large amounts of personal data and financial makes, them a lucrative target for cybercriminals. Infamously, hackers made off with over £2.5 million stolen from 9,000 customer accounts when they attacked Tesco Bank in November last year, proving that a successful attack against a bank can enrich criminals very quickly.

While Tesco Bank still hasn't confirmed how the attack happened, it's been suggested that the company fell victim to a sophisticated banking Trojan.


Editorial standards