TrickBot Trojan seeks out weak human links in business to profit from the tax season

The info-stealing malware is banking on your taxman fears in a new wave of attacks.
Written by Charlie Osborne, Contributing Writer

It is that dreaded time of year again: as the tax season in the United States looms, hackers worldwide are rubbing their hands in glee at the opportunity.

There's little more terrifying than the prospect of receiving an unexpected demand for money from the Internal Revenue Service (IRS) or equivalent organizations, and as both consumers and businesses are working to make sure they hit their April 15 tax filing deadlines, cybercriminals are capitalizing on the process through phishing schemes.

Cybercriminals worldwide use similar tactics in phishing schemes designed to steal your financial information. They often masquerade as well-known organizations, including banks, the IRS, and student loans companies, and attempt to create fear in their targets.

People in a panic are less likely to think rationally about bogus payment demands, and may be more likely to fall for a phishing email -- especially when coupled with a legitimate-looking website designed to accept 'payments' and steal account credentials at the same time.

See also: Bank hackers team up to spread financial Trojans worldwide

According to IBM X-Force, tax-related scams are in full swing, and many this year are focused on the business segment and deployment of the TrickBot Trojan.

On Monday, X-Force researchers Martin Steigemann and Ashkan Vila said that three spam campaigns, in particular, are of interest this year. The phishing schemes are designed to dupe victims into accepting malicious Microsoft Excel documents containing embedded, obfuscated macros by pretending to be accounting, tax, and payroll services companies.

The spoofed companies include payroll management firm Paychex and HR services company ADP. Both corporate and personal email addresses are being targeted -- but business email compromise (BEC) scams are far more lucrative, given that firms usually have more funds to hand than a typical consumer.

"Once TrickBot is installed on a potentially vulnerable device and can reach other devices on the network, it can further spread and pivot," the researchers noted. "Finding only one unaware person in an organization is usually enough for attackers to get their foot in the door."

CNET: The dark web knows too much about me

The malicious documents are able to download and deploy TrickBot, one of the most commonly known banking Trojans in existence today.

TrickBot specializes in the theft of banking credentials through dynamic injections -- attacks taking place in real-time with commands issued from an attacker's command-and-control (C2) server, as well as redirections which coerce a victim into visiting a malicious webpage.

TrickBot has also recently been upgraded with new functionality, including the theft of Remote Desktop Protocol (RDP) credentials, Virtual Network Computing (VNC) credentials, and PuTTY open-source terminal emulator credentials.

If a victim falls for a phishing scheme and hands over their credentials, this may result in financial theft and fraud.  

IBM says that the latest campaigns are most likely the work of the TrickBot group and spam samples collected "were more sophisticated than we typically see in other high-volume campaigns."

Such as in the sample below, there are no typographical errors -- usually a giveaway for poorly-executed mass spam campaigns -- and there are indicators that the message is legitimate, such as the business signature and warning about printing unnecessarily.


TechRepublic: Half of online banks allow hackers to steal your money

IBM received its first sample on January 27, 2019, in which the messages were impersonating an accountancy firm. The threat actors then pivoted to ADP by the first week of March, followed by Paychex. Messages are sent during US working hours.

Unfortunately, the same story appears every year during tax season with new techniques and tactics being implemented for the purposes of information theft and financial fraud.

The distribution of Trojans, too, is in a constant state of flux. In March, IBM said that the top distributors of banking malware are now working together to boost infection rates, with TrickBot now often operating as a dropper for IcedID. Malware source code is also now being shared across cyberthreat groups.

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Editorial standards