TrickBot operators in the UK, Australia and Germany have been adding new redirection attacks on a slew of highly targeted marks, according to analysis from IBM X-Force.
Researcher Limor Kessem saw that the bad actors are starting to handpick their targets, including a Sharia law-compliant bank.
This is “interesting because banking activity consistent with the principles of Sharia law prohibits certain exchanges such as interest fees and investment in business types unacceptable in Islam,” he said in an analysis. “I have not seen this bank listed as a mark in the past eight years of analyzing malware targets.”
Private banks, private wealth management firms, investment banking and a retirement insurance and annuity company are all listed targets. TrickBot also has added 20 new private banking brands to its regular attack roster, as well as eight building societies. Also added were two Swiss banks, a few private banking platforms in Germany and four investment banking firms in the US.
“The operators have been doing a lot of homework,” Kessem added. “One of the new targets is among the oldest banks in the world, located in the UK.”
IBM X-Force has found that the malware has grown from one to three major campaigns per month to five campaigns already in April.
“It is possible that TrickBot’s operators are increasing their spam runs in the target geographies and attempting to infect more endpoints before going into an attack phase next,” Kessem said.
TrickBot uses browser manipulation techniques that enable the malware to implement server-side web injections and redirection attacks.
“This malware was one to watch in 2017,” Kessem said. “The expanded target list, as well as the focus on new brands and high-value account types, means that this nefarious group is setting its sail and likely plans to deploy its crimeware in new territory.”