TrickBot Trojan Now Targets Private Banks

Malware is now hand picking private banks, as IBM warns of ‘skyrocketing’ breaches of financial data

IBM security researchers have warned about a change in tactics by the operators of the TrickBot Trojan.

The company’s analysis of the attack patterns of the Trickbot malware in the UK, Australia and Germany, found that private banks, private wealth management firms, investment banking, and even a retirement insurance and annuity company are now in its cross-hairs.

It comes as IBM X-Force warned in a separate report that financial services was the most targeted industry by cybercriminals in 2016.

trojanDridex Rival

The report found that breaches of financial records in 2016 had skyrocketed more than 900 percent to over 200 million records – despite the fact that the number of successful attacks against the industry had dropped 51 percent.

Meanwhile the new TrickBot is now actively targeting private banks, and one of its new targets is said to be one of the oldest banks in the world, located in the UK.

In the UK, Germany, Australia, and New Zealand, the malware has gone from 1-3 major campaigns per month, to 5 campaigns already in April, Limor Kessem, a cybersecurity evangelist at IBM X-Force, warned in a blog post.

She said it was possible that TrickBot’s operators are increasing their spam runs in the target geographies and attempting to infect more endpoints before going into an attack phase next.

And Kessem said she expects to see TrickBot climb up the global chart of financial malware families, reaching similar magnitude as the Dridex Trojan, and possibly outnumbering Dridex attacks by year’s end.

Changing Focus

“TrickBot is sharpening its focus on business banking, too, adding some rare finds to its more usual hit list,” Kessem warned.

“A Sharia law-compliant bank, for example, is among the new brands targeted, which is interesting because banking activity consistent with the principles of Sharia law prohibits certain exchanges such as interest fees and investment in business types unacceptable in Islam, I have not seen this bank listed as a mark in the past eight years of analyzing malware targets.”

The researcher said that in the UK, TrickBot has added 20 new private banking brands to its regular attack roster, as well as eight building societies.

Other additions are two Swiss banks, a few private banking platforms in Germany and four investment banking firms in the US.

It seems that geographically speaking, the UK is bearing the brunt of these attacks, closely followed by Australia. Germany and the US occupy the third and fourth spot respectively.

Virulent Malware

Dridex, also known as Bugat and Cridex, has been one of the most virulent forms of malware hitting the financial sector over the past few years.

In January 2016, Dridex was redeveloped by Evil Corp, the cybercrime group that owns and operates the banking trojan, in order to give it it a new attack methodology.

Dridex originates in Eastern Europe (namely Moldova) and ithe National Crime Agency has previously warned that it was responsible for losses of £20 million in the UK alone.

It works by infecting Windows PCs when users receive and open Office documents in seemingly legitimate emails.

The trojan reportedly records login and password details used to access online banking services and sends the information to the attackers who then use the information to steal from bank accounts.

Quiz: Do you know all about security in 2016?