Trickbot Rapidly Expands its Targets in August, Shifting Focus to US Banks and Credit Card Companies

Introduction

This article focuses on the TrickBot configurations active in late July and early August 2017, including versions (v)28 through 32. At the time of this writing, v51 is already in the wild, representing the highest level of activity we’ve seen from TrickBot since it launched in September of 2016.

Our most recent reporting on TrickBot focused on configuration v24 that was operating in June 2017 and its targets as the target URL list was significantly larger than we had seen in prior TrickBot configurations. Since then, TrickBot authors have kicked their efforts into high gear, releasing 13 new configurations in August alone. The most significant targeting changes we saw were shifts toward US targets, including Amazon.

Figure 1: Count of active TrickBot configurations per month since launch in September 2016

Sustained Increase in Target URLs

The increase in active configurations was matched with large target URL lists in each configuration, surpassing the 1,000 mark for the first time.

Figure 2: TrickBot target URL count by version

New Worm Module

TrickBot authors also introduced a worm module in v29 (referenced in Figure 2 above), that spreads locally through SMB,1 a port usage we questioned when it turned up on the command and control (C&C) list in v24.

Figure 3: TrickBot worm module string details

Sinj vs. Dinj Attack Paths

In our TrickBot article published in July 2017, we summarized the attack path, which included two methods of exploitation: redirects and webinjects.

Figure 4: TrickBot attack path from F5 Labs July TrickBot reporting

Starting with v29, we began analyzing the infection targets separately by static injection (sinj) targets, which are redirection attacks, and dynamic injection (dinj) targets, which are webinjects. Whereas there are more dinj targets in total, there has been a sharp rise in sinj targets in the latest analyzed configurations.

Figure 5: Dinj vs. sinj target URL count by configuration version

URL Target Analysis

The most notable changes in August were to its target financial institutions. France, Spain, UK were still target countries, while Nordic countries came out of the target set for a while before returning. Australia and New Zealand targets from older versions were back, and there was a big focus on US banks and credit card providers. PayPal returned as a target (recycled from Dyre), and AMEX and Discover were added as new targets.

We also began analysis of URLs with no identifiable country target, which we’ve labelled as “unknown” in our country lists. URLs in this group often look similar to “*/business/login/Login.jsp*”, about which it is impossible to make a determination as to which country or company is being targeted. Every “unknown” URL target is a dinj (webinject) target, which makes sense; static inject targets need to be sure of what page the user is attempting to access in order to serve up a convincing redirect, while webinject targets merely need to insert malicious code into legitimate pages.

These “unknown” URLs could potentially be used to target entire groups of banks all relying on a single online platform with an identical subdomain architecture. For instance, Bank XQW could have a login screen with the URL form “www.bankxqw.com/business/login/Login.jsp”, while Bank QRS could have a login screen with the URL form “www.bankqrs.co.uk/business/login/Login.jsp”. In this scenario, both banks would be affected by the “unknown” dinj target URL, allowing the TrickBot actors to target multiple banks with a single URL. Certain URLs within the TrickBot target list seem to be clearly capable of targeting multiple banks in this way (either by accident or design).

V28

US financial institutions were the most targeted starting in v28, followed by Australia, Spain, and Canada, which stayed consistent through v29 and v30. Rounding out the top 5 targets was the “unknown” group.

Figure 6: Targets by country for v28

The top 10 targets, by URL count in v28 were as follows:

Table 1: Top 10 targets of v28

V29

The target URLs changed very little from configuration v28 to v29. There was only a flux of 1 – 3 URLs dropped or added in just a few of the countries targeted; overall, there were 5 new URLs in v29, and 4 URLs dropped from v28, for a flux rate of only 1.7%.

Figure 7: Targets by country for v29

The top 10 targets list was the same from v28 as expected as there was very little change between versions 28 and 29, outside of the introduction of the worm module.

Table 2: Top 10 targets of v29

V30

Version 30 differed primarily in the removal of 3 URLs (all targeting Chase), the addition of 40+ US targets, and a handful of new Canadian targets. The overall flux rate was 9.1%.

Figure 8: Targets by country for v30

Citibank rose into the top ten list for v30, comprising the majority of the 40+ US URLs that were added. Not shown in the top ten list, we also saw Amazon begin to be targeted for the first time, with 10 URLs present in the webinject target list.

Table 3: Top 10 targets of v30

V31

Version 31 featured more Australian, New Zealand, Singapore, UK, and "unknown" targets. This configuration version is where we started to see a greater spike in URLs with wildcarded beginnings that didn’t appear to be specific to a single firm. No URLs at all were dropped from v30, and we saw 159 added, for a total flux rate of 21.5%.

Standing out in our analysis of the "unknown” URLs, there was also a large number of URLs in the form of “*/snapshoot/#”, “*/rcrd/#”, and “*/getq/#” targets; a few of them were wildcarded versions of URLs from Dyre, but most of them differed in the specific number used at the end of the URL from those seen in Dyre target lists. In the original Dyre configuration, these URLs took the form of “bankqrs.com/snapshoot/###”, with a different 1, 2 or 3 digit number assigned to different banks.

When these same numerical identifiers appeared in both the Dyre target list and the current TrickBot target list, we made a determination as to which company was being targeted, but unfortunately this was not always possible. The “rcrd” and “getq” variants of the URLs did not appear in the Dyre target list, but the numerical identifier, the order in which they appeared in the target list, and the common C&C servers made it clear that these three URLs went together for each company targeted. It is also possible that these URLs were not targeting a specific firm at all, and so we hesitate to offer definitive analysis on these URLs at this time, other than to note that they are unusual and worth our further attention.

Figure 9: Targets by country for v31

Although the names in the top ten list for v31 were the same as that for v30, the absolute number of URLs targeted had shifted a bit—usually up by one, but sometimes a few more than that. Amazon retained the same 10 targeted URLs from v30.

V32

Version 32 saw significant growth in the overall number of URL targets from v31, almost twice as many, even though 119 targets from v31 were dropped. There is a large focus on the US and UK, and the Nordic banks from v24 are back. The overall flux rate was 57.7%.

Figure 10: Targets by country for v32

In many instances, it appears that the targets for v32 were simply a combination of targets from previous versions. Almost all of the countries with 8 or less targets appearing in v32 did not appear in v31, but did appear in v24. The Nordic countries behaved similarly: they did not appear in v31, but 78% of their URLs did appear in v24. To be sure, there are URLs in v32 that are net new, but the vast majority of the increase in targets in this version are attributable to recycling older targets from previous versions that had been discarded over time. Notably, Amazon was discarded as a target in v32, with all 10 of its URLs leaving the target list.

Table 5: Top 10 targets of v32

Targets by Industry

As expected, Financial Services companies were still the primary targets. The “unknown” targets were largely the same as those identified in the country analysis, for the same reasons: the URLs themselves simply didn’t contain the actual domain that was being targeted, so it was impossible to say for certain what industry those companies fell into. Many of these domains had phrases such as “retail”, “businesslogin”, “fundsxpress”, or even “onlinebank”, indicating that most if not all of them were targeting financial information, but it is still possible that the companies in question were e-commerce or technology firms—or even something else entirely. We therefore hesitate to definitively assign an industry to these targets, but we believe it is likely they were financial services firms. We leave them separate in Figure 11 to indicate that uncertainty.

Figure 11: Targets by industry for v28 through v32

C&C Locations and Owners

The following chart shows the country locations of the TrickBot C&C servers active in configurations v24 through v32. It’s well known that TrickBot hosts its C&C servers on compromised wireless routers. Prior to IoT devices being used as attacker infrastructure (hosting malware and growing thingbots), it was unusual to see the US have such a large portion of the pie because it’s typically not hard to get nefarious activity hosted in the US shut down quickly. The rise in IoT is presenting a new profit avenue for attackers, and a new problem set for researchers and authorities.

Figure 12: TrickBot v24 through v32 C&C servers by country

JSC Mediasoft had the most used networks for hosting TrickBot C&C servers, followed by OVH; the 9 US C&C servers are spread out among 8 separate networks. When looking at consistent C&C IP addresses through configurations, some of the same C&C servers were used throughout versions 24 to 32, but in many cases the IP switched over time. At this time we are unable to see any trends in whether and when TrickBot is shifting its C&C IP addresses.

Figure 13: Top TrickBot C&C hosting networks by ASN owner, geo, and count

Conclusion

The analyzed configurations initially saw TrickBot shift away from the Nordic countries and into France, Spain, the US, and the UK; it appeared for a time that the targeting of this malware was becoming more focused on fewer countries and more refined. However, by v32 there was a return to a broad range of targets, suggesting that the threat actors behind TrickBot reached a phase of their development where it made sense to put all the targets together, all at once.

The unusual targets that stood out in our analysis were the rise in US-based firms—especially credit card companies. Before, we had only seen banks and wealth management providers targeted. In addition to credit card companies, we have seen some development of net new URLs; this indicates some level of effort being placed on refining the target set, but there is still an overwhelming reliance on the target set found in the Dyre malware, circa late 2015.

This partly explains how TrickBot is able to go through so many iterations so quickly. It’s time consuming and difficult to research all the appropriate URLs for all the financial services providers in a specific country, but almost all of that work has been done before. TrickBot’s authors can simply swap in the set of URLs they want from Dyre, make some tweaks based on updates to banks’ login sequences, and spend the rest of their time focusing on making the code itself more effective. We anticipate that TrickBot will continue to focus on the same firms targeted by Dyre through 2015, and will continue to make small modifications to the URLs to improve the effectiveness of their targeting.

Our initial look at how Trickbot behaved through August shows it is evolving even faster, but our recommendations for how to mitigate this malware remain largely the same. TrickBot spreads at least in part through spam and phishing campaigns, so security professionals within financial services firms should continue to have discussions with their legal teams to come up with appropriate language to encourage customers to exercise better social engineering and security awareness. When those pesky users still click on links or download files they shouldn’t, advanced web protection services can help firms detect and mitigate banking trojans so that infected users’ accounts aren’t compromised, even when their devices are.

Appendix A: TrickBot Config Screenshots

Sampled MD5:

bd4f13d1295b09f92571b89ef073a83c
03a3799d1d53cddf58bacbcb1cce6922
2e30546e646109f11c315e7c329acbd2
cb59d12ba5014164266fdaebc3ed11be
675119986b6df9441fbed1e6a8ae9da5