In the fall of 2015, more than 80,000 machines were infected with the Dyre banking Trojan before the company that created it was ultimately shut down by Russian officials raiding their headquarters. It was said to be the largest takedown in recent hacking history, but it seems that may have been short-lived.
It wasn’t long after the takedown that a new threat appeared, this time going by the name of Trickbot. Based on the research from multiple digital security firms, the Trickbot banking Trojan appears to be the direct successor of Dyre.
At first TrickBot was relatively unheard of, but has gained momentum over the past year to become the eighth most successful banking Trojan on the web.
A banking Trojan is a malicious program designed to steal private information about customers or clients using online banking and payment systems. Originally Trickbot campaigns were only targeting Australian bank users, but since April of 2017 they have spread to banks in the UK, US, Germany, Ireland, New Zealand, Canada, Switzerland, and France.
Even more recently we are seeing Trickbot being used against CRMs and more notably – PayPal. In fact PayPal researchers discovered 35 spoofed login screens for 35 different PayPal URLs across the world. The number of countries where Trickbot is being discovered continues to increase.
There appears to have been a spike this June in distribution campaigns spreading this threat. The more recent attacks have used email spam to spread the Trojan. The emails contain a PDF File which entices users to open a Word file and then asks them to enable macros to view the file.
This method is a complex social engineering tactic and somewhat of a “long-con” as it requires users to not only read the body of the email, but to then download a file, click to open another file, and then enable macros by bypassing a security alert. This method is proving extremely successful as Trickbot currently accounts for three percent of all detections, up from one percent just a few months ago.
Trickbot slowly manipulates an account until it is ready to deploy a standard Remote Access Protocol. After switching off all active components of the malware, a browser is opened from within the victim’s machine and from there cybercriminals can log into online banking platforms and drain the victim’s bank account.
Are you concerned with your cybersecurity? Contact the Crossroads Cybersecurity team to address the potential threats to your organization and how to defend against cyberattacks.