The financial trojan TrickBot has been updating its campaigns and targets since F5 malware researchers started following it in September 2016. This is expected behavior because attackers need to continually update their targets and methods to evade detection. Previously, TrickBot, the successor to Dyre, targeted financial institutions in Europe, Australia, New Zealand, and Canada. TrickBot’s May 2017 campaigns targeted banks in the UK, Australia, US, Canada, New Zealand, Ireland, France, Germany, Switzerland, the Netherlands, Bulgaria, India, Singapore, and Hong Kong.

In the 26 TrickBot configurations F5 researchers analyzed that were active in May 2017, targets expanded beyond banks to include two payment processing providers and two Customer Relationship Management (CRM) SaaS providers. The fact that payment processors were targets was a notable change that we also observed in Marcher, an Android banking trojan in March of 2017. It appears now that CRMs are a new target of attackers; is it because of their potential for collecting valuable user data that could enhance phishing campaigns?

What’s also notable (and expected) is that all command and control (C&C) servers tied to the most recent campaigns reside within web hosting provider networks and were communicating with their infected hosts over port 443. We know attackers hide their exploits in encrypted traffic; this is just another point of reference to prove it is a consistent and common method being used. Additionally, none of the C&Cs we observed in May 2017 were the same C&Cs we tracked in late 2016.

May 2017 Campaigns

This analysis focuses on the activities of two separate campaigns of different sizes identified in the 26 configurations analyzed, versions “1000018” and “1000019.” The smaller campaign detected included 210 URL targets focused on banks in Australia, UK, Canada, New Zealand, Singapore, India, and Ireland, and a payment processor in the US. The larger campaign detected included 257 URLs for banks in the UK, Australia, US, Canada, Ireland, France, Germany, Switzerland, Hong Kong, the Netherlands, and Bulgaria. The same US payment processor was targeted across both campaigns, however, the CRM targets only appeared in the second campaign.