Webroot Finds Trickbot Banking Trojan Variant

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Veteran banking trojan refreshed with ransomware capabilities if victims don’t yield financial data

The criminal authors behind the veteran TrickBot banking trojan have modified it with an ability to “lock” the victims machine.

The addition of this ransomware-like capabilities was revealed by Webroot, which has also just launched its 2018 Annual Threat Report.

That report revealed the increasing sophistication of phishing, malware, and cryptojacking, and comes with a warning that legacy cybersecurity defences will not keep pace with new ransomware and cryptojacking threats.

Ransomware TrickBot

The news that the TrickBot banking trojan has been modified was revealed in a blog posting by Jason Davison, Webroot’s advanced threat research analyst.

He wrote that last week Webroot had noticed that a new but unfinished “screenLocker”module had been downloaded by TrickBot that has not been seen in the wild before.

“It appears that the TrickBot authors are still attempting to leverage MS17-010 and other lateral movement methods coupled with this module in an attempt to create a new monetization scheme for the group,” he wrote.

“This is the first time TrickBot has shown any attempt at ‘locking’ the victims machine,” wrote Davison of the new module.

“If the TrickBot developers are attempting to complete this locking functionality, this generates interesting speculation around the group’s business model,” he added. “Locking a victim’s computer before you are able to steal their banking credentials alerts the victim that they are infected, thus limiting the potential for credit card or bank theft. However, extorting victims to unlock their computer is a much simpler monetization scheme.”

Davison said this locking functionality is only deployed after it has spread through unpatched corporate networks.

“In a corporate setting (with unpatched machines) it is highly likely that backups would not exist as well,” he warned. “The authors appear to be getting to know their target audience and how to best extract money from them. On a corporate network, where users are unlikely to be regularly visiting targeted banking URLs, exfiltrating banking credentials is a less successful money-making model compared to the locking of potentially hundreds of machines.”

Breach notifications

This is not the first that the criminals behind the TrickBot Trojan have changed their tactics.

Last year for example IBM security researchers warned that its analysis of the attack patterns of the Trickbot malware in the UK, Australia and Germany, found that private banks, private wealth management firms, investment banking, and even a retirement insurance and annuity company were now in its cross-hairs.

The financial sector has traditionally been a popular target for malware, but matters have not been helped by the refusal of banks and financial institutions to come clean about successful attacks.

However last year it was revealed that banks in the European Union that are directly regulated by the European Central Bank (ECB), will be subject to new breach notification requirements as part of the incoming Global Data Protection Regulations (GDPR).

This means that banks under the rule of the ECB will have to “report all significant cyber incidents” in an effort to crack down on cyber attacks across the industry.

Do you know all about security? Try our quiz!