While a great deal of focus for research into botnet trojans is on the multipurpose utility of this malware, many of these same tools are still utilized for direct financial crimes and fraud. This configuration data, provides a prima-facie insight into some of the preferred means for monetary gains by threat actors. An example of this can be found in the most recent rounds of TrickBot malware configurations. These XML documents describe the targeted login pages for online services and the action the malware is to take when a victim visits one. Many of the targeted resources reference the login pages for online banking portals, as many malware tools with financial-crimes capabilities often do. However, TrickBot’s targeting of cryptocurrency wallet services also an interesting insight into this malware’s targeting and its relationship to its predecessor, the Dyre trojan.
The TrickBot malware has been a fixture of the threat landscape in 2017, appearing several times each month in distributions of varying volumes. This malware provides much of the botnet and financial crimes functionality that made the Dyre malware such a success in 2014 and 2015. However, during the first months of TrickBot’s use, many of the refinements and careful nuances that made the Dyre trojan a high-quality malware utility were missing from TrickBot. As time has passed, the quality of implementation and scope of usage for this malware has grown to more closely approximate its Dyre predecessor.
Figure 1 – Frequency of TrickBot usage has been on steady increase through the middle of 2017
One place in which this maturity has been evidenced in the length and precision of the XML configuration documents delivered to TrickBot samples residing on infected machines. The most naive and simplistic way to measure the breadth of targeting is to simply count the number of pages that trigger the financial crimes functionality of this malware. Once triggered, the malware will leverage a number of techniques to collect information entered by the page’s visitors. One TrickBot sample analyzed received a configuration document containing instructions for the targeting of 663 locations related to a wide variety of financial institutions. Comparing this to a configuration pushed to a Dyre trojan sample at the peak of that malware’s usage shows that TrickBot is targeting almost as many locations–663 to Dyre’s 838. This gap’s continued closure can likely be expected as time passes.
In addition to the extensive targeting of online financial and banking services users, recent TrickBot configurations have revealed an interest in the collection of information related to major online Bitcoin wallet services. This demonstrates that TrickBot’s threat actors view cryptocurrency on par with more traditional monetary assets.
Figure 2 – Configuration elements referring to the targeting of cryptocurrency wallet services
These TrickBot configuration documents are shared to infected hosts within minutes of the initial check-in with the malware’s command and control host and reveal the financial crimes facet of this botnet’s functionality. They likely serve as the baseline for this malware’s behavior before more specialized functionality is enabled. In addition to serving as a tool for financial crimes, additional modules and malware tools can be delivered to machined infected with TrickBot to expand the malware’s reach and adapt its functionality to serve the threat actor’s mission within an organization.
Don’t miss another threat – subscribe to PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.