TrickBot Update Indicates Shifting Focus Back to Banking Fraud

TrickBot is a name that anyone who reads up on malware and security news must have ran across at some point in time. What originally started as the TrickBot banking trojan back in 2016 and was primarily used to steal banking and card information from victims, slowly evolved into a multi-purpose modular malware toolkit.

Even though for the past couple of years TrickBot was primarily used as a vehicle to deliver ransomware including the infamous Ryuk and Conti families, its latest update indicates that the bad actors behind the malware are looking to sharpen its banking fraud and theft capabilities once again, with a possible shift of focus back to stealing credentials.

Security researchers working with Kryptos Logic Threat Intelligence have been looking into the newest versions of TrickBot and their findings are intriguing. TrickBot is adding credential theft mechanisms that resemble those found in the Zeus banking trojan, with the ability of the malware to execute man-in-the-browser attacks. This is achieved using web injections.

When a victim infected with the latest version of TrickBot attempts to open a legitimate banking website, the malware's web injection module comes into play. The injection can be both static or dynamic, with the static version routing the user to a hacker-controller website that mimics the legitimate banking service. Once the user enters their credentials in the fake page, it's easy to imagine what happens next.

The dynamic injection is more sophisticated and involved forwarding the server's response to the command and control servers of TrickBot, where the page source is dynamically altered. The malware-laced page is then returned to the user's browser, acting as though it was loaded up from the legitimate banking site.

The similarity with Zeus comes in the update to the web inject module, which now contains what researchers call "Zeus-style" injection configuration settings. This gives TrickBot yet another way to dynamically alter pages served to the victim's browser.

The reason why hackers still copy bits and pieces of Zeus, even though the Zeus trojan has had its source code leaked for a decade now, is that it was the pinnacle of banking trojans for a long time and some of those techniques, when modified to fit the needs of current-day malware, still pull their weight.

In summary, researchers pointed out that the new functionality may indicate the threat actor behind TrickBot may be looking to expand on their malware service platform and allow licensees and budding new hackers who use TrickBot to write their own web injection configurations and modules.

By Zaib
July 6, 2021
Computer Security
English
July 6, 2021
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

11 months ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

11 days ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

7 months ago

Take Note: Someone Added You As Their Recovery Email Scam

10 months ago

A Potentially Serious Threat: Trojan:Win32/Suschil!rfn

18 days ago

Related Posts

How To

Windows Update Not Working

Applying the latest Windows Updates is essential if you want to maintain the security, health, and functionality of your computer. Typically, Windows is very smart about these updates and installs them when you are... Read more

April 8, 2021
Computer Security

Brazilian Banking Trojan Switches Distribution Method

A banking Trojan used primarily in Brazil has switched up its game. Previously being distributed primarily through pornography, the Trojan, which goes by several different names, has made the evolutionary step to... Read more

May 5, 2021
How To

How to Update USB Drivers

The USB connection has been one of the most important things about modern computers – it allows us to easily connect all sorts of peripherals to our computers, therefore extending their functionality. Most of you are... Read more

June 23, 2021
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.