People across the world are under constant threat of various malware designed for making illicit profits or for stealing personal data. But there is specifically one type that is hated the most; they are Banking Trojans. Time and again, they make appearances in different forms and exploit users. But the worst one that has caught limelight recently is the TrickBot Banking Trojan that targets Windows machines. It has been found out that this specific Trojan has successfully impacted Australia, Asia and Latin America. Now it is making its way through Argentina, Peru and Chile as well, planning to infect millions of machines. You can determine the intensity of their notoriousness and damage from the fact that they were able to send over 75000 emails in 25 minutes purporting from Lloyds Bank, UK, in 2017.
What is Trickbot?
This is one of the most active banking Trojans in the market that has a plethora of capabilities including URL redirections and web injections. This was first identified and spotted in October 2016 in Australia. It is estimated that Trickbot is operated and managed by group of individuals with global outreach. Also, they are smart, as they have attacked through different techniques i.e. Redirection 40% of times and left 60% to web injections. It’s a pattern that has been seen in 40 countries now.
This malware is being delivered to users via phishing emails, but they have also started exploring other practices for distribution such as fake websites. In such cases, they mainly operate via web injections.
Web Injections
Web browser is infected by the malware, which keeps a check on every website you visit. Everything remains unaffected until you visit a banking website. The main objective of the attackers is to phish users through banking websites, where as soon as the user visits any of the banking website, a code is intercepted through network to steal personal information and credentials entered.
What is more disturbing in web injections is that you can’t tell anything just by looking at the websites because it’s not the website that is infected but the web browser. In this scenario, how can we identify abnormal activities? Well, no one can do so unless they go to the source code of the banking page.
If your browser is not infected, the codes will be relatively smaller, whereas if it is, then you’ll see some strange new functions in it. Sometimes, the additional functions or set of codes have comments that let us know about their functionality i.e. stealing the credentials and informing hackers about the same.
URL Redirection
Though there are instances in which URL redirection has been used, but this practice is becoming scarce. The reason behind is the fact that any redirection is identifiable. Again, hackers can only create similar and not exact URLs for redirecting a person while browsing due to registration rules of domain names. And, this can be spotted if someone is paying attention to the URLs.
What Trickbot Does?
The malware is reported to have many malicious capabilities that includes: –
- Initiate communication between infected devices and the command server.
- Steal confidential information such as bank credentials, personal info etc by exploiting web-browsing sessions.
- Collect detailed information about affected machines and networks.
- Compromise account passwords that are saved online, introspect cookies and web history.
- Extend its reach by infecting other machines on the infected network.
- Set up further tools for malicious purpose such as VNC clients, Remote Access Tool or ransomware.
How Does Trickbot Trojan Work?
Also Read : Emotet Trojan- A Banking Trojan Which Has Evolved Dangerously
Once deployed, the TrickBot banking trojan duplicates itself into%APPDATA% and removes the original sample.
Further, it adds two files called client_id and group_tag.They are created locally and utilized to detect the individual bot and the operationit is associated with. These files aren’t encrypted and contain text in Unicode.
client_id: includes name of the infected machine, version of OS, and a randomly generated string.
The folder contains a file called config.conf. It is downloaded via the Command & Control (C&C) server and encoded.
Note: C&C or C2 is utilized by cyber-attackers to manage communications with infected machines within an infected network.
A folder known as Modules is generated in %APPDATA%.Other files downloaded via C&C are injectDll32 and systeminfo32.
injectDll32– It is a banker module that injects DLLs inside target browsers to initiate theft of credentials
systeminfo32– It is used for collecting general system info
These files are also encoded. Moreover, the list of target browsers is hardcoded inside injectDll32.dll. TrickBot makes it effective by accumulating itself as a task in the Windows Task Scheduler. The task is simply called ‘Bot’ and no attempt is made to hide this task. However, if you attempt to kill the task, the Task Scheduler Engine automatically restarts it.
Network Communication
TrickBot malware communicates with different servers. At first, it communicates with a valid server to get a visible IP. Surprisingly, it consumes its very own User Agent i.e. TrickLoader or BotLoader and does not try to mask itself as an authentic browser. But most of the TrickBot’s communication with the Command and Control centre is SSL encrypted.
client_id and group_id, are used in the URL of POST request followed by command id. This was a trait observed in the Dyreza malware. Further, an additional payload is loaded without encrypting the network traffic. C&Cs are installed on compromised wireless routers, i.e. MikroTik. This is another feature that is found common between Dyreza and TrickBot. Another strange thing about TrickBot is that it doesn’t even try to copy authentic-looking names for HTTPs certificates. They include entirely random data. For instance: –
https://193.9.28.24/tmt2/TESTMACHINE_W617601.653EB63213B91453D28A68C0FCA3AC4/5/sinj/
Symptoms That Your System Is Affected
Endpoint users won’t see any changes, but the network admin will. Symptom will change in traffic or efforts to reach restricted URLs and blacklisted IPs. This happens because the malware is trying to forward the data to hackers. It tries to withdraw data and receive tasks from the Control and Command (C&C) server.
Aftermath
As this Trojan uses EternalBlue vulnerability, it will focus on affecting the entire network not just a machine. This implies that once your network is affected, there is no way out. You can cleanse a particular machine but not the entire network. To an extent isolating infected machines and working to remove this Trojan might be effective.
Here are few steps that you can follow if network machines are affected: –
- Detect infected machine(s).
- Isolate them from the network.
- Use the Patch for EternalBlue.
- Restrict Administrative Shares.
- Block attachments with various file extensions like:
Exe|pif|tmp|urlpst|cmd|com|hta|js|wsf|vb|vbe|scr|reg|cer|bat|dll|dat|hlp|
- Remove the TrickBot banking Trojan.
- Change account credentials.
Must Read : IcedID New Banking Trojan
The Final Verdict
This one is highly dangerous not only because of its aggressiveness but also because of its constant evolution. The operators of this banking Trojan have also started targeting users on Outlook emails, browsing data and even cryptocurrencies. We need to come up with defense mechanism soon if we don’t want to see our wallets and accounts go empty!