After focusing on ransomware for the past year, TrickBot’s operators changed their Trojan’s code. The TrickBot trojan is now capable of stealing online banking credentials, which researchers believe could be a precursor to fraud attacks.
TrickBot is a modular threat that can steal credentials and launch a variety of ransomware payloads. But it started as a banking trojan that used to trick users into visiting fake websites.
Kryptos Logic Threat Intelligence explained how the new webinject module of TrickBot is used to execute a web injection to a targeted URL:
“The static inject type causes the victim to be redirected to an attacker-controlled replica of the intended destination site, where credentials can then be harvested,” they said, in a Thursday posting. “The dynamic inject type transparently forwards the server response to the TrickBot command-and-control server (C2), where the source is then modified to contain malicious components before being returned to the victim as though it came from the legitimate site.”
The latest version of the module for support for “Zeus-style” webinject configuration, as Kryptos Logic said. This feature allows hackers to inject arbitrary code into targeted banking websites.
The Zeus banking trojan was once the most notable banking malware. Its source code was leaked in 2011 and was copied extensively by other threat actors.
“Due to Zeus having been the gold standard for banking malware, Zeus-style webinjects are extremely popular,” they said. “It is not uncommon for other malware families to support Zeus-style webinject syntax for cross-compatibility (4Zloader, 5Citadel, to name a few).”
The Zeus injection works by proxying a stream of traffic through a SOCKS server. When a victim tries to visit a target URL, the traffic is dynamically modified accordingly. Researchers explained that this required creating a self-signed TLS certificate and adding it to the certificate store.
“The module contains a packed payload that is injected into the victim’s browser, where it hooks socket APIs to redirect traffic to a locally listening SOCKS proxy, it also hooks ‘CertVerifyCertificateChainPolicy’ and ‘CertGetCertificateChain’ to ensure no certificate errors are shown to the victim,” according to the posting.
The update is then pushed out to users under the name injectDll replacing the old functionality.
The new version of the webinject module, which was released this week, shows that the operators of the TrickBot program are getting back into the banking fraud game, researchers concluded.