Recently there have been several reports of a financial malware named TrickBot1. The malware’s code looked similar to Dyre’s code but was lacking in functionality in comparison to the old Dyre samples. It also had a fairly basic module configuration, including:
- a system information collecting module
- a browser injection module
The malware had no VNC, SOCKS, and form grabber modules. The samples that were observed in the field had a persistency mechanism, browser function hooks (also known as man-in-the-browser) and a short list of Australian targets that were fetched from the command and control (C&C) server.
This week our research team came across a new campaign of TrickBot malware. The previous webinjects configuration was partial and looked like a part of a testing version of the TrickBot malware. After analyzing this campaign, we noticed a change in the webinjects configuration.
Many new targets, including Germany and the UK, were added to the previous targets of Canada, Australia, and New Zealand.

Figure 1: TrickBot target evolution
Dynamic Injects
TrickBot has server-side webinjects, meaning, when the user connects to the targeted bank’s site, a replication of the target’s response source is sent to the C&C, where Javascript injections are inserted.
After the targeted source has been injected with malicious code, it is returned to the user as if it actually came from the bank.
In the following illustrations, one can see the fields that were added. These are intended to filter out certain file types as they can be fetched from the real bank site.