It has now been a target for the Trickbot banking trojan to hit US banks with their new spam filled campaigns which has been fueled by the Necurs botnet. Malware more potent with the customized redirection as part of its systematic attack.
Security researchers from both IBM X-Force and Flashpoint both recently tracked trickbot activity. They have both independently published research about their findings this week.
The researchers have indicated in their research that spam campaigns have been active over the past few months. Flashpoint has determined that it is now focusing on US targets while IBM found a link on the redirection attack used to steal login details, personally identifiable information and financial authentication codes.
A lot of malware webinject falls in Trickbots lap ever since 2016. The man-in-the-browser attacks has been its specialty and it has been configured to target financial institutions outside of the US, but now it has focused its efforts to target US banks instead.
The Necurs-powered spam campaign kit contains “expanded webinject configurations” as mentioned earlier that is developed to target and infect customers all over the world specially targeting US institutions now.
As a side note, Necurs has been used in three distinct spam campaigns. “These malicious emails contained a Zip-archived Windows Script File (WSF) attachment consisting of obfuscated JavaScript code. Upon being clicked, the files download and execute the Trickbot loader,” according to researchers.
These WSF scripts are only the initial vector of infection. Apparently other campaigns managed to evolve and utilize macro-laden documents as their attachments as per Flashpoint.
Post infection, the malware creates a process using the “CREATE_SUSPENDED” flag before injecting its module and terminating the initial thread used to launch the Trojan, researchers said. The infection progresses, creating a folder in “%APPDATA%” where it copies itself and adds an authroot certificate file in “%TEMP%”, and adds as a service “update[.]job” for persistence in the Windows Task folder.
Here is the interesting part. Trickbot stores encoded configuration module in the resource section of its binary and retrieves additional modules from its controller domains as needed.
In its analysis of Trickbot, Flashpoint said the malware is a successor to the Dyre banking Trojan sharing many of the same attributes. While the crew behind Dyre sits in a Russian jail, TrickBot appears to be picking up the slack with attacks against banks using a number of webinjects also found in the Dyre malware code, according to a report last year by IBM X-Force researchers.
As of now, Trickbot would be the first and only banking Trojan to cover so many geographical regions and language zones with redirection schemes. An attack like that would be more resource-intensive to maintain that elaborate attack scheme.
A basic redirection attack is typical in phishing attacks and is a technique that redirects one hyperlink to an unanticipated page loaded with a malicious payload.
“In simple redirection of browsing to a different page, the user sees the switch to the next website and can observe the change in URL. This is not what happens in Trickbot’s case. Malware redirections hijack the victim to a fake website hosted on separate servers before he or she even sees the destination page.”
Customized redirection attacks by using HTML or JavaScript injections while visiting a financial institution online. These victims are lured to a malicious website while at the same time the malware contacts the genuine website and keeps a live connection with it.
The victim would see the correct URL address in the address bar same as the bank’s genuine digital certificate. They would not be able to immediately tell the difference that it has reached a malicious website as per the IBM X-Force researcher.
This move to make everything so seamless that the victim seems to be visiting the real deal. While all this is happening the malware operator has the chance to do the webinjections to steal the login data coming from the replica website. All this is happening without the bank knowing.
