Banking trojan Trickbot returns with improved operation

by Olivia Morelli - - 2018-05-31

Trickbot relies on malicious attachments to contaminate users' devices

Trickbot malware comes back with the file-locking feature

A Trickbot virus,^[1] which was first detected in 2016, is a banking trojan that has been relying on deceptive emails used to trick customers of various banks. Its aim – stealing victims' credentials and, ultimately, the money. Trickbot can send out a multitude of spam emails which mimic official banks and prompt users to enter their details into fraudulent websites. While this virus is relatively old, the latest discovery reveals that it shouldn't be underestimated yet.

Recently, security experts noticed a new wave of phishing emails contaminated with malware associated with Trickbot. The upgraded version is more sophisticated and contains features which decrease its detection chances, as well as make the protection more problematic. In addition to that, the financial trojan was found using the file-locking system which is quite similar to ransomware.

The deceptive email pretends to come from one of the largest UK banks, Lloyds. Unlike in most other cases, cybercriminals do not urge victims to enter their credentials into a fake website. Instead, a .html file containing malicious code is attached directly to the email. Also, the link to mobile versions is provided.

The newest variant is also using the file locking feature

The first example of the new version of malware was detected by Webroot security experts on 15th of March. They released a detailed article^[2] containing all the technical data related to the latest variant.

As soon as malware enters the device, it creates a folder in TeamViewer directory called “Modules,” which consists of encrypted plug-and-play^[3] modules used by Trickbot for its operation. The original module spreader_x86.dll now includes two other executables called SsExecutor_x86.exe and ScreenLocker_x86.dll.

The SsExecutor_x86.exe attempts to take over the system registry, what helps it add a link to malware's startup path. The second executable, ScreenLocker_x86.dll, tries to lock up files on the device in a similar way ransomware viruses do.

Although trojan's code written in Delphi^[4] is not entirely complete, it gives security researchers a hint of how cybercrooks are planning to extract money from victims in the future. Locking up users' data increases a chance of retrieving the money. As corporate individuals are less likely to enter their banking details, locking up data on business computers seems like a much more attractive scheme to cybercriminals.

Social engineering is used to mislead even the most computer-savvy individuals

As we have already mentioned, Trickbot authors have been mimicking Lloyds bank. The main email address used by crooks also looks legitimate – secure@lloyds-se.com. Hackers then proceed with the following message:

LLOYDS BANK

This is a LLoyds Bank secure, encrypted message.

Desktop Users: Open file attachment (message_zdm.html) and follow the instructions.

Mobile Users: Get the mobile application

Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender

There is no doubt that some part of users will not look closely enough and open the attachment. Thus, we highly advise users to carefully examine each email which contains links to unknown sites or attachments. If needed, please contact the company the email is allegedly coming from and ask them to confirm the legitimacy. Besides, keep in mind that banks do not ask people to enable the macro function to view any of their documents.

It is highly likely that Trickbot will return using even more sophisticated techniques in the future, as it is already trying to utilize EternalBlue^[5] exploit MS17-010 to infect large networks. Jason Davidson, threat research analyst at Webroot, finishes with the following:

The TrickBot banking trojan remains under continual development and testing in a constant effort by its developers to stay one step ahead.

The easiest way to prevent its attack is installing a sophisticated anti-virus software on the system.

About the author

Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at 2-Spyware.com. She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions

References

^ Julie Splinters. TrickBot virus. How to remove? (Uninstall guide). 2-spyware. Cybersecurity news and articles.
^ Jason Davison. TrickBot Banking Trojan Adapts with New Module. Webroot. Official security site.
^ Introduction to Plug and Play. Microsoft. Hardware Dev Center.
^ Delphi (IDE). Wikipedia. The free encyclopedia.
^ Lily Hay Newman. The leaked NSA spy tool that hacked the world. Wired. Online magazine.