TrickBot, today's top trojan, adds feature to aid SIM swapping attacks

TrickBot trojan seen collecting credentials and PIN codes for Sprint, T-Mobile, and Verizon Wireless accounts.

TrickBot

The unscrupulous operators of the TrickBot trojan -- one of today's most active and widespread malware strains -- are now capable of carrying out SIM swapping attacks, security researchers from Secureworks have told ZDNet today.

This is possible because over the past month, TrickBot operators have developed a new version of the malware that can intercept login credentials and PIN codes for Sprint, T-Mobile, and Verizon Wireless web accounts.

The data TrickBot collects can allow its operators to carry out a so-called SIM swapping attack, porting a victim's phone number to a SIM card under their control.

This would allow the TrickBot gang (or someone else) to bypass SMS-based multi-factor authentication solutions and reset passwords for a victim's bank accounts, email accounts, or cryptocurrency exchange portals.

During the last two years, SIM swapping attacks have been one of hackers' favorite techniques in stealing money from unwitting and sometimes powerless victims, who often can't react fast enough to stop ongoing attacks from happening, and are almost always left to deal with the aftermath for weeks and months.

Making matters worse, TrickBot has evolved from the tiny banking trojan operation it was when it started back in 2016 to an Access-as-a-Service model, where the TrickBot gang allows other crews to deploy malware on computers it previously infected.

This has allowed TrickBot authors to develop close ties to many other gangs in the cybercrime underground, and Secureworks fears they might use these connections to quickly share or sell the data they've been collecting over the past month.

"It is entirely possible that GOLD BLACKBURN [Secureworks' name for TrickBot operators] would sell on data obtained on mobile users to other criminal contacts who are better placed to exploit it," Mike McLellan, Director for the Secureworks Counter Threat Unit, told ZDNet today.

McLellan also told ZDNet that this functionality allowing the malware to target Sprint, T-Mobile, and Verizon Wireless web accounts has been added as an update to the malware, and not as a separate test strain.

This means that all TrickBot-infected computers received this "feature," regardless of when they were infected, and this didn't necessarily involve someone opening a boobytrapped file they received via email in the past month alone.

How to detect if you've been impacted

While users might not be able to tell if they've been previously infected with TrickBot unless they install a top antivirus product, there are a few giveaways that may let them know if something is wrong.

By design, TrickBot operates using a technique called "web injects." This technique allows the malware to intercept legitimate websites a user is accessing and "inject" malicious content.

According to Secureworks, TrickBot started intercepting traffic for the Verizon Wireless login page on August 5, when it began adding two new fields for the user's account PIN code in Verizon's standard login form.

The modification was easy to miss, but Verizon doesn't usually ask for this PIN via its website. If users didn't spot this discrepancy and submitted the form, TrickBot intercepted both the victim's account credentials and PIN code, which it later uploaded to its backend panel.

trickbot-verizon-page.png

Image via Secureworks

The process was a little bit different for T-Mobile and Sprint login pages, for which TrickBot began intercepting traffic on August 12, and August 19, respectively.

Instead of adding the PIN code field in the regular login form, TrickBot added this field as a separate page that appeared after a successful login, as shown below.

trickbot-sprint.png

Image via Secureworks

If Sprint, T-Mobile, and Verizon Wireless users remember seeing these pages, then their computers are very likely infected with TrickBot. In this case, besides looking into ways of disinfecting their computers, victims are also advised to change their credentials as soon as possible, along with their PIN codes.

This warning should not be taken lightly.

TrickBot operators have shown already how unscrupulous they can be, and telecom account credentials are currently in high demand due to the popularity of SIM swapping attacks.

Furthermore, TrickBot is also one of today's most active malware strains, and its operators often rent infected hosts to other malware gangs, such as ransomware crews. If a victm doesn't get SIM swapped, he might soon be infected with something else, such as a cryptominer, a browser password stealer, or, in the worst case scenario, ransomware.