The financial trojan TrickBot, the successor to Dyre, has expanded its targets beyond banks to include PayPal, the US-based payment processing giant, and two customer relationship management (CRM) SaaS providers.
The CRM targets were Salesforce.com and an auto sales CRM developed by Reynolds & Reynolds in the US.
According to F5 researchers, this branching out could be because of the potential for collecting valuable user data that could enhance phishing campaigns. TrickBot’s consistent initial attack pattern is to use email spam.
In May, there were two campaigns: a smaller initiative detected included 210 URL targets focused on banks in Australia, UK, Canada, New Zealand, Singapore, India and Ireland, along with PayPal. The larger campaign included 257 URLs for banks in the UK, Australia, US, Canada, Ireland, France, Germany, Switzerland, Hong Kong, the Netherlands and Bulgaria, plus PayPal, a payment processor URL in the UK, and the CRM targets.
“It seems the success of TrickBot thus far has influenced the authors to not only repeat their previous target list of banks from previous campaigns but to expand those targets to include new banks globally as well as CRM providers,” F5 researchers said, in an analysis. “Given the changes we’ve witnessed with each successive campaign, F5 Labs researchers expect to see further evolution in both the targets and methods used by TrickBot.”
Other details show additional evolution in TrickBot’s tactics. When analyzing the two campaigns, six C&C IP addresses were identified, all of which exist within European web hosting provider networks. Three of the six are operated by hosting firms in Asia that use these European web hosting companies’ services. All of them used port 443/HTTPS as a connection method from the infected machine back to the C&C host, a method commonly used by malware authors to evade detection from network security devices that don’t inspect encrypted traffic.
“The fact that C&C servers in these two most recent campaigns reside within web hosting companies is also significant, along with the fact that the C&C servers were different from those used in previous campaigns,” said the researchers.