In this article, we explore TrickBot targets in configuration version 1000024 (“v24”), which was operating in June 2017. F5 Security Operations Center (SOC) researchers continually track TrickBot target and publish reports in conjunction with F5 Labs researchers. Our efforts are to understand the malware author’s behavior and notify the targeted institutions so they can be on alert for TrickBot fraud within their environments.
Key data points from v24 analysis:
- 95% of TrickBot v24 URLs were identical to those targeted by Dyre in 2015, adding to the growing list of commonalities between Dyre and TrickBot.
- 62% of the targets in v24 were also targeted in v18 and v19, which were active in May, suggesting the target list always started from Dyre targets.
- v24 included a spike in Nordic targets—primarily UK, Sweden, Switzerland, Finland and Norway targets, as well as a large reduction in URLs in Australia and New Zealand.
- Clear focus on wealth management financial institutions that service individuals and businesses.
- Targeting both retail (personal accounts) and commerce (business accounts) banks.
- Targeting Islamic banks in UAE, UK, and Jordan.
TrickBot infects its victims much like any other banking trojan that begins with social engineering attacks, such as phishing or malvertizing, to trick unassuming users into clicking malware links or downloading malware files. Once a user engages with the malware and it’s able to exploit the user’s system (because of out-of-date patches and AV software—the exception would be zero-day malware), the malware installs and controls the host via commands from its command and control (C&C) server.
Figure 1: Initial TrickBot attack path
TrickBot’s Dynamically Updating DLL Module
TrickBot has a basic configuration file that is written when the malware initially infects a victim’s system. This configuration file specifies the malware’s version, its C&C servers (that are set up on compromised IoT devices, specifically wireless routers1), and modules to be fetched and installed by the malware.
“injectDll” module is the core banking module that contains the malware’s banking functionality, the list of targeted URLs, and servers to which the legitimate bank content is sent for modification upon receipt by the user. These files are updated frequently by the malware authors and dynamically deployed to TrickBot's infected systems.
These configuration versions and the URL targets within them are what the F5 SOC and Labs researchers analyze to understand the malware author’s targets. There have been at least 29 new configuration files in the DLL module since September of 2016.