Trickbot Focuses on Wealth Management Services from its Dyre Core

2024 Cybersecurity Predictions


Figure 6: Targets by Industry

Notable Target Drops

European banks have continually been a top target of TrickBot, and although there was growth in targets in that region, Europe stands out more in this configuration because Australia and New Zealand targets dropped off, thereby boosting Europe’s portion of the pie. There were no New Zealand targets in this configuration, and only four in Australia.

Another notable drop was PayPal, which drove a significant portion of US interest in previous configurations. Because PayPal was not targeted this time, the US dropped in overall % of targets.

TrickBot Targets are Directly from Dyre Circa 2015

What’s most interesting about the URL targets is that they replicate Dyre’s targets from 2015.3 Ninety-five percent of the URLs in TrickBot v24 were also targeted by Dyre in 2015. It is widely believed that TrickBot and Dyre were written by the same authors because of code similarities. Specifically, they have the same loaders, encryption and decryption routines, structure of configuration files, and inter-process communication. The fact that both trojans target the same URLs just adds to the parallels and resulting conclusion that the same actors are likely behind both trojans.

Although almost all of TrickBot’s URLs came from Dyre, not all of the Dyre URLs are present in this TrickBot configuration. In fact, TrickBot has some URL formulations that target a specific subdomain of a bank, but it doesn’t use all the URLs for that subdomain that exist in the Dyre target list. This suggests someone is selectively choosing which URLs from the Dyre list to use.

In researching the Dyre–TrickBot connection, we noticed that Salesforce and Reynolds & Reynolds appeared on the Dyre target list in the same formulation. Therefore, it’s not actually surprising that TrickBot “expanded” into CRMs. This has been a behavior of financial malware for quite some time.

Some URLs in the TrickBot list do not appear on any published Dyre list that we found. Most of these are variations on URLs that can be found in the Dyre list. This suggests that the TrickBot authors are attempting to improve at least some of the Dyre URLs—although there are still many URLs that don’t resolve anymore. Most of the “improvements” from Dyre to TrickBot are to UK and Swedish banks.

Almost Thirty Percent of Targets Have Wealth Management Specialties

Fifty of the 177 businesses targeted specialize in or offer wealth management services. Wealthy individuals are more likely to have multiple card holders on one account (who could be in multiple global positions at the same time), and process high value transactions frequently. These types of customers also have low patience for fraud holds. This type of behavior profile makes it more difficult for banks to implement the standard behavioral-based fraud controls that most financial institutions rely on now. This could make them a great target for attackers, and perhaps is one of the reasons why the targets have remained consistent over the years, beginning with Dyre in 2015.

 

Institutions with a Wealth Management Focus and/or Services Country
Andbank Andorra
Aktia Bank Finland
Danske Bank Global
Arab Bank Jordan
Baltic International Bank Latvia
Medicinos Bankas Lithuania
DBS Bank Singapore
OCBC Bank Singapore
Investec South Africa
Banca March Spain
Banco Mediolanum Spain
Carnegie Sweden
Catella Sweden
DNB Bank Sweden
Erik Penser Bank Sweden
Bank Cler Switzerland
Bank von Roll Switzerland
Barclays Bank Switzerland
BHF-Bank Switzerland
Julius Baer Switzerland
Neue Helvetische Bank Switzerland
Valiant Switzerland
Abu Dhabi Islamic Bank UAE
Mashreq Bank UAE
United Arab Bank UAE
Adam and Company UK
Aldermore Bank UK
Arbuthnot Latham UK
Barclays Bank UK
Butterfield Bank UK
C. Hoare & Co UK
Cater Allen UK
Close Brothers Asset Management UK
Coutts UK
Credit Suisse UK
Gerrard Investment Management UK
Hargreaves & Lansdown UK
HSBC Bank UK
Investec UK
J.P.Morgan UK
Kleinworth Benson UK
Rathbone Brothers UK
St. James’s Place Bank UK
Standard Life Savings Limited UK
Tilney UK
Toronto-Dominion Bank UK
Triodos Bank UK
Yorkshire Bank UK
Merrill Lynch US
Voya US



Source link
lol

Figure 6: Targets by Industry Notable Target Drops European banks have continually been a top target of TrickBot, and although there was growth in targets in that region, Europe stands out more in this configuration because Australia and New Zealand targets dropped off, thereby boosting Europe’s portion of the pie. There were no New Zealand…

Leave a Reply

Your email address will not be published. Required fields are marked *