Security researchers have observed a new, Necurs-powered Trickbot spam campaign targeting international and US-based financial institutions.
The notorious banking Trojan has been responsible for man-in-the-browser (MitB) attacks since 2016. Until now, however, the malware’s webinject configuration had only targeted organizations outside of the US.
Researchers at Flashpoint discovered the new Trickbot spam campaign earlier this week, which was developed to hit 50 additional banks, including 13 US companies, reports Dark Reading.
Dubbed “mac1,” the campaign has fueled at least three different spam waves, all of which have included the Trickbot loader as a final payload, said researchers.
Other targets include financial organizations located in: the UK, New Zealand, France, Australia, Norway, Sweden, Iceland, Canada, Finland, Spain, Italy, Luxembourg, Switzerland, Singapore, Belgium and Denmark.
With the powerful Necurs botnet fueling the Trickbot Trojan’s mac1 campaign, experts believe it’s likely the malware will only continue to evolve and expand to other targets.
“We think it’s capable of developing new features in the future. For now, it’s a banking Trojan with potential to move beyond that,” warned Vitali Kremez, director of research at Flashpoint.
Based on their malware analysis, researchers also found significant similarities between Trickbot and the Dyre banking Trojan.
“… it’s possible that Trickbot’s author may have either had deep knowledge of Dyre or simply re-used old source code,” researchers said.