After an investigation Fidelis Cybersecurity experts discovered that the new TrickBot Trojan might be related to the Dyre banking Trojan.
TrickBot Might Be Related to the Dyre Banking Virus
Security researchers from the Fidelis Cybersecurity team have given insight about the new TrickBot Trojan that has started to infect various systems since its appearance. The malware was discovered last months and according to its characteristics and infections, the experts have made a link to the old and notorious Dyre banking Trojan.
The Dyre threat has dissapeared as the Russian authorities managed to arrest the majority of the hackers who were operating it. The new TrickBot Trojan uses a loader (called TrickLoader) that shows some striking similarities to the former Trojan. After a careful analysis the specialists have uncovered some details that bear a remarking resemblance to Dyre.
The observed attack campaign was against banks in Australia using web injections done by the Trojan. The obtained virus code appears to be a rewrite of an older threat, because the coding style is not very consistent. The bot performs almost the same activities and functions as Dyre namely:
- Trickbot interfaces with TaskScheduler through COM objects for persistence execution
- The Trojan uses the Microsoft CryptoAPI instead of running an onboard SHA256 hashing routine
- A larger amount of C++ code instead of C
TrickBot uses a custom cryptography module that is also used by the Vawtrack, Pushdo and Cutwail malware. The loader itself looks to be constructed in a very similar manner as Dyre’s one.
According to Fidelis and some other cyber security experts it can be presumed that some of the Dyre operators or another hacker cooperative has used the Dyre code to create a new Trojan targeting various companies. And while TrickBot is not a direct clone of the old banking Trojan, it can be thought as an upgraded and much improved threat.
A Rising TrickBot Attack In The UK
Security specialists from IBM X-Force have reported that TrickBot malware has already staged several attacks using two advanced browser manipulation techniques – redirection attacks and serverside injections.
The initial attacks that TrickBot has made were against banks in Australia and Canada. Its latest iteration had become specialised banking Trojan that are used in a wide variety of attacks.
Some of the biggest Trickbot campaigns targeted banks in the United Kingdom using custom redirection attacks. This method manipulates the output that is displayed in the web browsers of the victims.
According to the analysis the virus used some of the malicious ads that are being served with the RIG exploit kit, as well as several other components, including malicious email attachments and infected Office macros in various documents.
They may be used in the early stages of operation and some experts state that this is proof that the remote attackers are clearly targeting bug business accounts.