Skip to content ↓ | Skip to navigation ↓

The TrickBot trojan evolved in the third quarter of 2017 by adding new variations to its code and to its delivery vectors.

According to IBM X-Force Research, TrickBot was the busiest financial trojan during the summer of 2017. That activity, which included an expansion into Argentina, Chile, Columbia, and Peru, partly resulted from the banking malware’s many types of delivery vectors. Indeed, while TrickBot commonly relies on the Necrus botnet for delivery via malspam campaigns, it also added a few other methods in Q3 2017.

Limor Kessem, an executive security advisor at IBM, elaborates on this development:

“The group has been experimenting with other ideas, such as setting up fake websites and serving the malware from there. In early August, TrickBot was spotted using the same infection zones as the Emotet Trojan, which has been linked with the QakBot banking Trojan, which recently propagated throughout corporate networks and caused massive Active Directory lockouts.”

Upon successful infection, the trojan employs redirection attacks or web injection offensives. It then leverages its desktop and data theft capabilities against an infected machine. But TrickBot is always changing up its code, so it’s not surprising to learn that it added some new capabilities in the third quarter of 2017.

Specifically, TrickBot took a page from WannaCry and NotPetya by adding support for the EternalBlue exploit. It also added some new modules that can help it steal Outlook email data. Finally, it also now has the ability to steal user credentials for popular cryptocurrency platforms like CoinBase and BlockChain.

A timeline of Trickbot’s global spread (Source: IBM X-Force)

TrickBot, which owes its existence to the Dyre developer, today targets financial institutions, payment processing providers, and ordinary users throughout the United States, Europe, and elsewhere. This proliferation no doubt contributed to Check Point’s decision to place the trojan among the top 10 most wanted malware for August 2017.

Given its ongoing evolution, users should exercise caution around suspicious links and email attachments. They should also be careful about what websites they visit while browsing the Internet, stay on top of all software updates, and activate additional security features like two-step verification (2SV) for all their banking and web accounts.