Trickbot banking Trojan a significant risk to financial institutions
Trickbot banking Trojan a significant risk to financial institutions

The Necurs botnet is the largest spam botnet in the world and has underpinned a significant amount of criminal activity since its emergence back in 2012. Necurs has become notorious for fuelling large-scale email campaigns that distribute malware (particularly Locky ransomware, the Dridex banking trojan, and most recently, Jaff ransomware), propagate “pump-and-dump” fraud schemes, and/or bait recipients into purchasing scam memberships for disreputable dating websites.


The new threat


Now Necurs is delivering a different type of malware that poses a threat specifically to the financial sector: the “Trickbot” banking Trojan. Trickbot has been responsible for man-in-the-browser (MitB) attacks since mid-2016, yet the malware's webinject configuration has previously only targeted financial institutions located outside of the US. This is now changing and the threat is becoming increasingly global. 


Our observations and analysis


Flashpoint observed a new Necurs-powered Trickbot spam campaign, which started on 17 July 2017, and contains an expanded webinject configuration developed to target and infect additional customers of international financial institutions. The latest Trickbot campaign, known as “mac1,” targets customers of various institutions from many countries including the US, UK, New Zealand, France, Australia, Norway, Swedish, Iceland, Finland, Canada, Italy, Spain, Switzerland, Luxembourg, Belgium, Singapore and Denmark.

To date, this campaign has fuelled at least three different spam waves - all of which have included the Trickbot loader as a final payload. The initial spam wave contained an HTML email masquerading as a bill from an Australian telecommunications company. These malicious emails contained a Zip-archived Windows Script File (WSF) attachment consisting of obfuscated JavaScript code. Upon being clicked, the files download and execute the Trickbot loader. Although this wave utilised malicious WSF scripts as the initial vector of infection, subsequent campaigns have evolved and appear to instead utilise malicious macro-laden documents as their attachments.


Flashpoint's malware analysis revealed significant similarities between the Trickbot banking Trojan and the Dyre banking Trojan. Indeed, Trickbot is considered to be Dyre's successor. It's possible that Trickbot's author may have either had deep knowledge of Dyre or simply re-used old source code. The Dyre cyber-criminal syndicate has historically targeted various Western financial institutions including those located in the US, UK and Canada. Following a takedown by Russian law enforcement, the Dyre banking Trojan gang ceased operations in 2015; its old aliases have since disappeared from the underground.


Since the Trickbot banking Trojan's mac1 campaign remains fuelled by the powerful Necurs botnet, it will likely continue to evolve and target customers of US, UK and other international financial institutions. Anti-fraud programmes are an important part of many FI programmes to detect and counter this threat to their customer base.


Indeed, in late July the threat did develop further, because on 27 July 2017, in coordination with Luciano Martins, director of cyber risk services at Deloitte, Flashpoint observed a new version – “1000029” – of the formidable “Trickbot” banking Trojan with a new “worm64Dll” module, spread via the email spam vector, impersonating invoices from a large international financial institution.




The Trickbot banking Trojan gang continues to have a global impact, targeting various financial institutions across the world and tirelessly proliferating sizable daily spam waves impacting various geographies. Now, the gang appears to be testing a new module with worm-like capabilities for lateral movement, ie, the ability to infect other computers on the same Local Area Network (LAN) with the goal of infecting more victims and enlisting them as part of the botnet. Such worm-like infections might add the Trickbot gang to expand a number of customers of financial institutions in an effort to conduct more account takeover (ATO) fraud.


Even though the worm module appears to be rather crude in its present state, it is evident that the Trickbot gang learned from the global ransomware worm-like outbreaks of WannaCry and “NotPetya” and is attempting to replicate their methodology. Flashpoint assesses with moderate confidence that the Trickbot gang will likely continue to be a formidable force in the near term.


Along with the Necurs-powered dating scam the financial-services focused Trickbot shows the importance of having effective cybser-security protocols and defences in place. Given the fact so much of what cyber-criminals do is conducted through the deep and dark web, this is a natural starting point for assessing and understanding the risks a financial organisation, or any organisation for that matter, may be facing. Understanding the risks and gaining knowledge of the development of cyber-criminal adversaries makes defending against them easier and more effective. 


Flashpoint's research – Business Risk Intelligence Decision Report: 2017 Mid-Year Update – showed that amongst industry verticals, financial services was one of the most targeted sectors. The financial rewards and the data the organisations in the sector hold coupled with the public profile of many organisations in the sector make it an attractive target to nation state actors, cyber-criminals, hacktivists and jihadi hackers.


As threats posed by malware such as Trickbot continue to emerge and their targets expand, it is crucial for all organisations and its users to be extra vigilant in their security practices.


Contributed by Vitali Kremez, director of research, Flashpoint

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.