The financial trojan TrickBot has been updating its campaigns and targets since F5 malware researchers started following it in September 2016. This is expected behavior because attackers need to continually update their targets and methods to evade detection. Previously, TrickBot, the successor to Dyre, targeted financial institutions in Europe, Australia, New Zealand, and Canada. TrickBot’s May 2017 campaigns targeted banks in the UK, Australia, US, Canada, New Zealand, Ireland, France, Germany, Switzerland, the Netherlands, Bulgaria, India, Singapore, and Hong Kong.
In the 26 TrickBot configurations F5 researchers analyzed that were active in May 2017, targets expanded beyond banks to include two payment processing providers and two Customer Relationship Management (CRM) SaaS providers. The fact that payment processors were targets was a notable change that we also observed in Marcher, an Android banking trojan in March of 2017. It appears now that CRMs are a new target of attackers; is it because of their potential for collecting valuable user data that could enhance phishing campaigns?
What’s also notable (and expected) is that all command and control (C&C) servers tied to the most recent campaigns reside within web hosting provider networks and were communicating with their infected hosts over port 443. We know attackers hide their exploits in encrypted traffic; this is just another point of reference to prove it is a consistent and common method being used. Additionally, none of the C&Cs we observed in May 2017 were the same C&Cs we tracked in late 2016.
May 2017 Campaigns
This analysis focuses on the activities of two separate campaigns of different sizes identified in the 26 configurations analyzed, versions “1000018” and “1000019.” The smaller campaign detected included 210 URL targets focused on banks in Australia, UK, Canada, New Zealand, Singapore, India, and Ireland, and a payment processor in the US. The larger campaign detected included 257 URLs for banks in the UK, Australia, US, Canada, Ireland, France, Germany, Switzerland, Hong Kong, the Netherlands, and Bulgaria. The same US payment processor was targeted across both campaigns, however, the CRM targets only appeared in the second campaign.
Figure 1: Smaller campaign and larger campaign with count of URL targets
TrickBot May Targets by Industry and Country
When looking at TrickBot’s URL targets, we attributed the country target based on the country code in the URL rather than the global headquarters of the targeted business. For instance, https://www.citibank.com.sg is attributed to Singapore, and https://online.citi.eu/GBIPB is attributed to the UK, even though CitiBank is headquartered in the US. (Refer to Appendix A for specific targets by country.)
The smaller campaign focused on targeting banks (83% of URL targets) in Australia, UK, Canada, New Zealand and Singapore, and a payment processor (PayPal) attributed to the US (although PayPal users are global).