TrickBot: The Picky Malware

trickbot malware

It’s often assumed that malware is created to spread to as many recipients, as quickly as possible. With email and social media being the main channels for the spread, you might think that malware infects its victims randomly. However, that’s not always the case. Some malware go after the big fish, targeting only a specific kind of audience, or even an industry sector.

One such malware that has gained media coverage for mimicking Wannacry is TrickBot. Around late 2016, TrickBot was originally engineered by hackers to resemble yet another malware called Dyre Trojan in terms of its stealthy infection methods, which include customized redirection attacks, and the way it reaches new endpoints. However, some believe TrickBot was also inspired by Wannacry in its adoption of a worm module to incorporate self-spreading capabilities.

While the characteristics of TrickBot may resemble other Trojan malware, it is pretty unique in terms of its preferred methods of attack, target, and geographical presence. So how does it work and who does it target?

How TrickBot Is Different

The masterminds behind TrickBot use an email spam campaign to spread their malware, using malicious files and attachments in emails as a way to avoid detection by malware scanning software. Those spreading the TrickBot malware have also become experts at using redirection attacks to their advantage.

While other Trojan malware popularized the redirection technique in 2014, TrickBot took it a step further. Most are familiar with how a simple redirection attack works — users are redirected to counterfeit sites hosted on a malicious server where hackers can elicit sensitive information like login credentials or financial information.

A careful user under a simple redirection attack might notice the suspicious change in web address after clicking on a link. However, TrickBot uses an advanced technique in which, instead of hosting a fake website on separate servers, a “live connection” is kept with the original webpage. Therefore, the victim is less suspicious of the site since the correct URL is displayed in the web address bar and the page’s digital certificate, if SSL is enabled.

TrickBot’s Global Takeover in the Banking Industry

Targeting financial institutions and banking sites elicits the most gains for those behind TrickBot. Because of their ability to redirect users to copy-cat sites, hackers can mimic authentic-looking banking sites and trick users into revealing their personal information. With the malware, hackers can extract and steal login credentials, authentication and security codes, and other personally identifiable information (PII) with which they use to convert into monetary gains.

Therefore, by focusing on private banks, wealth management firms, and other types of investment banking, TrickBot has been wildly successful. When it first emerged, it was targeting mainly the English-speaking world — US, Australia, Canada, Singapore and so on — but now its spread spans over 24 countries. This includes financial institutions in India, Malaysia, Israel, United Arab Emirates, Finland, Germany and other parts of Europe.

TrickBot has been deemed the “first and only banking Trojan” to spread across this many regions and be dynamic enough to succeed in such diverse linguistic contexts. With research by IBM X-Force indicating that TrickBot currently accounts for 4% of all attacks on a global scale, TrickBot will likely expand its attack scope with increased activity worldwide.

Fighting against malware is a major struggle for many businesses, but knowing which kind of cyber attacks are most prevalent in which industries is a great place to start. The next step, of course, should involve preventive actions. Learn more in our other post on how businesses can keep their websites protected from malware, even from a sneaky malware like TrickBot.