IBM Trusteer reported that , “malware injections have been fitted with additional protection to keep researchers out and get past security controls. TrickBot is one of the most modular and advanced Trojans . It employs a variety of injections, some of which are highly advanced, to deceive both users and service providers in order to commit bank fraud. In the case of TrickBot, injections can be retrieved either locally from configuration files or in real-time from the attacker’s inject server.”
Microsoft joined forces with a number of US government agencies and private security firms to combat the TrickBot botnet, shutting down much of its infrastructure around the world in an attempt to stop its operations.
TrickBot, on the other hand, has proven impervious to takedown attempts, with the operators quickly adjusting their techniques to propagate multi-stage malware through phishing and malspam attacks, not to mention expanding their distribution channels by partnering with other affiliates like Shathak (aka TA551) to increase scale and drive profits.
IBM Trusteer has detected new updates related to real-time web injections used to steal banking credentials and browser cookies. As part of a man-in-the-browser (MitB) attack, this links directly attached to replica domains when they attempt to navigate to a banking portal.
Man-in-the-browser (MiTB) attacks allow attackers to detect communication between users or between users and remote services. Banking Trojans are the most common users of this interception during web sessions. MiTB scripts are planned to modify information leaving the browser on the fly so that what reaches the bank’s server conforms to the criminal’s requirements.
A server-side injection mechanism is also used, which intercepts the response from a bank’s server and redirects it to an attacker-controlled server, which then inserts additional code into the webpage before relaying it back to the user.
Latest version of TrickBot include encrypted HTTPS communications with the command-and-control (C2) server for fetching injections; an anti-debugging mechanism to thwart analysis; and new ways to obfuscate and hide the web inject, such as the addition of redundant code and the incorporation of hex representation for variable setup.
Finally the researchers concluded that ,” The TrickBot Trojan and the gang that runs it have been a cyber crime staple since taking over when a predecessor, Dyre, went bust in 2016. TrickBot has not taken a single day off. It has been diversifying its monetization models and growing stronger in the face of takedown attempts and a global pandemic.”
Indicator Of Compromise
- jquery-1.10.1.js: 5acd3cddcc921bca18c36a1cb4e16624d0355de8
- downloader js: ae1b927361e8061026c3eb8ad461b207522633f2