Trickbot, the latest arrival to the banking malware scene and successor to the infamous Dyre botnet, is in constant flux, and its authors are continually adding new targets and functionality. F5 malware researchers have been monitoring Trickbot and have uncovered a new variant that substantially increases the number of German banks being targeted. Trickbot was previously focused on banks in Australia, the UK, and Canada, but only a very small number of banks in Germany, as shown in our November 7, 2016 article Little TrickBot Growing Up: New Campaign.
This latest variant, version “1000007” as shown in the base configuration below, targets banks belonging to one of Germany’s largest banking groups: Sparkassen-Finanzgruppe.
Figure 1: TrickBot Version 1000007
Figures 2 and 3 directly below show configuration snippets that identify some of the targeted banking domains: