Figure 13: Top TrickBot C&C hosting networks by ASN owner, geo, and count

Conclusion

The analyzed configurations initially saw TrickBot shift away from the Nordic countries and into France, Spain, the US, and the UK; it appeared for a time that the targeting of this malware was becoming more focused on fewer countries and more refined. However, by v32 there was a return to a broad range of targets, suggesting that the threat actors behind TrickBot reached a phase of their development where it made sense to put all the targets together, all at once.

The unusual targets that stood out in our analysis were the rise in US-based firms—especially credit card companies. Before, we had only seen banks and wealth management providers targeted. In addition to credit card companies, we have seen some development of net new URLs; this indicates some level of effort being placed on refining the target set, but there is still an overwhelming reliance on the target set found in the Dyre malware, circa late 2015.

This partly explains how TrickBot is able to go through so many iterations so quickly. It’s time consuming and difficult to research all the appropriate URLs for all the financial services providers in a specific country, but almost all of that work has been done before. TrickBot’s authors can simply swap in the set of URLs they want from Dyre, make some tweaks based on updates to banks’ login sequences, and spend the rest of their time focusing on making the code itself more effective. We anticipate that TrickBot will continue to focus on the same firms targeted by Dyre through 2015, and will continue to make small modifications to the URLs to improve the effectiveness of their targeting.

Our initial look at how Trickbot behaved through August shows it is evolving even faster, but our recommendations for how to mitigate this malware remain largely the same. TrickBot spreads at least in part through spam and phishing campaigns, so security professionals within financial services firms should continue to have discussions with their legal teams to come up with appropriate language to encourage customers to exercise better social engineering and security awareness. When those pesky users still click on links or download files they shouldn’t, advanced web protection services can help firms detect and mitigate banking trojans so that infected users’ accounts aren’t compromised, even when their devices are.

Appendix A: TrickBot Config Screenshots