Trickbot Focuses on Wealth Management Services from its Dyre Core
Figure 6: Targets by Industry
Notable Target Drops
European banks have continually been a top target of TrickBot, and although there was growth in targets in that region, Europe stands out more in this configuration because Australia and New Zealand targets dropped off, thereby boosting Europe’s portion of the pie. There were no New Zealand targets in this configuration, and only four in Australia.
Another notable drop was PayPal, which drove a significant portion of US interest in previous configurations. Because PayPal was not targeted this time, the US dropped in overall % of targets.
TrickBot Targets are Directly from Dyre Circa 2015
What’s most interesting about the URL targets is that they replicate Dyre’s targets from 2015.3 Ninety-five percent of the URLs in TrickBot v24 were also targeted by Dyre in 2015. It is widely believed that TrickBot and Dyre were written by the same authors because of code similarities. Specifically, they have the same loaders, encryption and decryption routines, structure of configuration files, and inter-process communication. The fact that both trojans target the same URLs just adds to the parallels and resulting conclusion that the same actors are likely behind both trojans.
Although almost all of TrickBot’s URLs came from Dyre, not all of the Dyre URLs are present in this TrickBot configuration. In fact, TrickBot has some URL formulations that target a specific subdomain of a bank, but it doesn’t use all the URLs for that subdomain that exist in the Dyre target list. This suggests someone is selectively choosing which URLs from the Dyre list to use.
In researching the Dyre–TrickBot connection, we noticed that Salesforce and Reynolds & Reynolds appeared on the Dyre target list in the same formulation. Therefore, it’s not actually surprising that TrickBot “expanded” into CRMs. This has been a behavior of financial malware for quite some time.
Some URLs in the TrickBot list do not appear on any published Dyre list that we found. Most of these are variations on URLs that can be found in the Dyre list. This suggests that the TrickBot authors are attempting to improve at least some of the Dyre URLs—although there are still many URLs that don’t resolve anymore. Most of the “improvements” from Dyre to TrickBot are to UK and Swedish banks.
Almost Thirty Percent of Targets Have Wealth Management Specialties
Fifty of the 177 businesses targeted specialize in or offer wealth management services. Wealthy individuals are more likely to have multiple card holders on one account (who could be in multiple global positions at the same time), and process high value transactions frequently. These types of customers also have low patience for fraud holds. This type of behavior profile makes it more difficult for banks to implement the standard behavioral-based fraud controls that most financial institutions rely on now. This could make them a great target for attackers, and perhaps is one of the reasons why the targets have remained consistent over the years, beginning with Dyre in 2015.
| Institutions with a Wealth Management Focus and/or Services | Country |
| Andbank | Andorra |
| Aktia Bank | Finland |
| Danske Bank | Global |
| Arab Bank | Jordan |
| Baltic International Bank | Latvia |
| Medicinos Bankas | Lithuania |
| DBS Bank | Singapore |
| OCBC Bank | Singapore |
| Investec | South Africa |
| Banca March | Spain |
| Banco Mediolanum | Spain |
| Carnegie | Sweden |
| Catella | Sweden |
| DNB Bank | Sweden |
| Erik Penser Bank | Sweden |
| Bank Cler | Switzerland |
| Bank von Roll | Switzerland |
| Barclays Bank | Switzerland |
| BHF-Bank | Switzerland |
| Julius Baer | Switzerland |
| Neue Helvetische Bank | Switzerland |
| Valiant | Switzerland |
| Abu Dhabi Islamic Bank | UAE |
| Mashreq Bank | UAE |
| United Arab Bank | UAE |
| Adam and Company | UK |
| Aldermore Bank | UK |
| Arbuthnot Latham | UK |
| Barclays Bank | UK |
| Butterfield Bank | UK |
| C. Hoare & Co | UK |
| Cater Allen | UK |
| Close Brothers Asset Management | UK |
| Coutts | UK |
| Credit Suisse | UK |
| Gerrard Investment Management | UK |
| Hargreaves & Lansdown | UK |
| HSBC Bank | UK |
| Investec | UK |
| J.P.Morgan | UK |
| Kleinworth Benson | UK |
| Rathbone Brothers | UK |
| St. James’s Place Bank | UK |
| Standard Life Savings Limited | UK |
| Tilney | UK |
| Toronto-Dominion Bank | UK |
| Triodos Bank | UK |
| Yorkshire Bank | UK |
| Merrill Lynch | US |
| Voya | US |
Source link
lol
Figure 6: Targets by Industry Notable Target Drops European banks have continually been a top target of TrickBot, and although there was growth in targets in that region, Europe stands out more in this configuration because Australia and New Zealand targets dropped off, thereby boosting Europe’s portion of the pie. There were no New Zealand…