• During June and July, F5 researchers first noticed Trickbot campaigns aimed at a smaller set of geographically oriented targets and did not use redirection attacks—a divergence from previous Trickbot characteristics.
• In this research, we compared two different target configurations, one older, more “traditional” configuration that uses redirection, and a new Trickbot configuration that does not us redirection and exclusively uses dynamic injection.
• The vast majority of all spotted Trickbot campaigns target US financial services institutions; a much smaller percentage target other industries, including cryptocurrencies, credit card companies, and e-commerce.
• Notably, the access pages of financial services institutions, including single sign-on pages, are the most targeted, which indicates that access is still imperative in order to conduct lucrative cybercriminal attacks.

Trickbot, one of today’s most active banking trojans, was first reported on in 2016. It was originally known for its geographically centered campaigns targeting only the financial services industry. But it quickly expanded its targets to include credit card, wealth management, customer relationship management software companies. (For more background on Trickbot, check out the F5 Labs banking malware reference guide.)

Since 2016, Trickbot campaigns have continued to evolve. New campaigns are pivoting to be much more regionally focused, and they exploit using only one type of attack: dynamic Injection (Dinj), also known as server-side injection. The details of these attacks are stored in Dinj files. While the dynamic injection technique isn’t new, it is the first time it has been applied by Trickbot in such a geographically centered campaign.

Over the last few months, F5 researchers have gathered target configuration files from Trickbot campaigns and, for this analysis, compared two of the most different ones. (Note that the traditional Trickbot configuration we analyzed has not been active over the last four months.) Since there is such a stark difference in Trickbot’s current tactics, we used the older configuration as a comparison, which highlights Trickbot’s transition to attacking without redirection, because it is so much more sophisticated. The configurations we compared are v459, composed of new Trickbot tactics of shorter target lists and no redirection, and v420, a more traditional configuration that utilizes both redirection and dynamic injection attacks and has a very long target list.

Active Campaigns Without Redirection

Historically known for using redirection attackA user is forwarded from a trusted site to another, possibly malicious site.s, Trickbot is not using this tactic in some of its latest target configurations. This change, first noticed by F5 researchers in June and July, continues in August and September 2019. Along with the absence of target lists, redirection is also absent in the encrypted webinject files from the latest campaigns. There is no trace of the previous redirection targets alongside Dinj elements. While this seems to be an intentional shift in tactics, Trickbot continues to target the financial services industry, with 91% of targets on the v459 target list falling into this industry.