TrickBot has expanded its targets beyond global financial institutions to include several payment processors and Customer Relationship Management (CRM) providers, warn security researchers.
The banking trojan – which shares many characteristics with Dyre – first surfaced in the summer of 2016, targeting banks across Europe, Australia, New Zealand and Canada.
Earlier this year, TrickBot’s campaigns had extended to financial institutions in the US, the UK, Ireland, France, Germany, Switzerland, India, Singapore, Bulgaria and Hong Kong.
Researchers at F5 Labs said they observed 26 TrickBot configurations that were active in May 2017, which also included two payment-processing providers and two CRM SaaS providers.
“The fact that payment processors were targets was a notable change that we also observed in Marcher, an Android banking trojan in March 2017,” explained the researchers in a blog post.
With CRMs becoming a new target, researchers suggest cybercriminals may be after the valuable user data to enhance phishing campaigns.
In their analysis of two active campaigns in May, F5 Labs detected 210 URL targets, while the other larger campaign included 257 URLs focused on banks. PayPal was targeted across both campaigns; however, the CRM targets were only detected in the second campaign.
According to F5 Labs, the specific CRMs targeted were Salesforce.com and an auto sale CRM developed by US-based Reynolds & Reynolds.
All command and control (C&C) servers tied to the recent TrickBot campaigns reside within web hosting provider networks and communicated with infected hosts over port 443.
Furthermore, researchers found that none of the C&C servers observed in May 2017 were the same C&C servers tracked in 2016.
“Given the changes we’ve witnesses with each successive campaigns, F5 Labs researchers expect to see further evolution in both the targets and methods used by TrickBot authors,” they warned.