Partner Perspectives  Connecting marketers to our tech communities.
09:00 AM
Sara Boddy
Sara Boddy
Partner Perspectives
Connect Directly

TrickBot Rapidly Expands its Targets in August

TrickBot shifted its focus to U.S banks and credit card companies, soaring past the 1,000 target URL mark in a single configuration.

Doron Voolf and Jesse Smith also contributed to this article.

Compared to the most recent version we examined in July (v24), TrickBot’s target URL list has grown significantly, surpassing the 1,000 mark for the first time with notable increases in US targets.

TrickBot authors also introduced a worm module in v29 that spreads locally through SMB, a port usage we questioned when it turned up on the command and control (C&C) list in v24. Starting with v29, we began analyzing the infection targets separately by static injection (sinj) targets, which are redirection attacks, and dynamic injection (dinj) targets, which are webinjects. Whereas there are more dinj targets in total, there has been a sharp rise in sinj targets in the latest analyzed configurations.

Figure 1: TrickBot target URL count by version
Figure 1: TrickBot target URL count by version

URL Target Analysis
US financial institutions were the most targeted starting in v28 (185 URLs), followed by Australia, Spain, and Canada, which stayed consistent through v29 and v30. Rounding out the top 5 country targets was the "unknown" group. The top five company targets are led by "unknown" with 46 URLs, and followed by Chase, PayPal, American Express, and Bank of America. Little change in the URL targets occurred in v29 with the introduction of the worm module, but v30 saw the addition of 40+ US targets and a handful of new Canadian targets, moving Citibank into the third most targeted position. We also saw Amazon begin to be targeted for the first time, with 10 URLs present in the dinj target list.

Version 31 featured more Australian, New Zealand, Singapore, UK, and "unknown" targets. No URLs at all were dropped from v30, and we saw 159 added, while the company target list remained the same from v30. Version 32 saw almost twice as many URL targets as v31, even though 119 targets from v31 were dropped. There is a large focus on the US and UK, and the Nordic banks (previously observed in v24) are back.

In many instances, it appears that the targets for v32 were simply a combination of targets from previous versions. Almost all of the countries with eight or less targets appearing in v32 did not appear in v31, but did appear in v24. The Nordic countries behaved similarly: they did not appear in v31, but 78% of their URLs did appear in v24. Most of the increase in targets in this version are attributable to recycling older targets from previous versions that had been discarded over time. Notably, Amazon was discarded as a target in v32.

"Unknown" URL Target Analysis
URLs in this group often resemble "*/business/login/Login.jsp*", about which it is impossible to make a target determination. Every "unknown" URL target is a dinj (webinject) target, which makes sense; static inject targets need to be sure of what page the user is attempting to access in order to serve up a convincing redirect, while webinject targets merely need to insert malicious code into legitimate pages.

These "unknown" URLs could be used to target groups of banks all relying on a single online platform with an identical subdomain architecture. For instance, Bank XQW could use "", while Bank QRS could use "". Both banks would be affected by the example "unknown" dinj target URL, allowing TrickBot to target multiple banks with a single URL. Certain URLs within the TrickBot target list strongly suggest this intent.

There was also a large number of URLs in the form of "*/snapshoot/#", "*/rcrd/#", and */getq/#" targets; a few were wildcarded versions of URLs from Dyre, but most differed in the specific number used at the end of the URL from those seen in Dyre target lists. In the original Dyre configuration, these URLs took the form of "", with a different 1, 2 or 3-digit number assigned to different companies. When they appeared on both the TrickBot and Dyre target lists, comparing these numerical identifiers allowed us to determine which company was being targeted. It is also possible that these URLs were not targeting a specific firm at all, and so we hesitate to offer definitive analysis on these URLs at this time, other than to note that they are unusual and worth our further attention.

C&C Locations and Owners
It’s well known that TrickBot hosts its C&C servers on compromised wireless routers. Prior to IoT devices being used as attacker infrastructure (hosting malware and growing thingbots), it was unusual to see the US have such a large portion of the pie because it’s typically not hard to get nefarious activity hosted in the US shut down quickly. JSC Mediasoft had the most used networks for hosting TrickBot C&C servers (10 of Russia’s 15), followed by OVH; the 9 US C&C servers are spread out among 8 separate networks.

Figure 2: TrickBot v24 through v32 C&C servers by country
Figure 2: TrickBot v24 through v32 C&C servers by country

The unusual targets that stood out in our analysis were the rise in US-based firms—especially credit card companies. In addition to credit card companies, we have seen some development of net new URLs. This indicates some level of effort being placed on refining the target set, but there is still an overwhelming reliance on the target set found in the Dyre malware, circa late 2015.

This partly explains how TrickBot is able to go through so many iterations so quickly. It’s time-consuming to research all the appropriate URLs for all the financial services providers in a specific country, but almost all of that work has been done before. TrickBot’s authors can simply swap in the set of URLs they want from Dyre, make some tweaks based on updates to banks’ login sequences, and spend the rest of their time focusing on making the code itself more effective. We anticipate that TrickBot will continue to focus on the same firms targeted by Dyre through 2015, and will continue to make small modifications to the URLs to improve the effectiveness of their targeting.

Get the latest application threat intelligence from F5 Labs.

Sara Boddy currently leads F5 Labs, F5 Networks' threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit
Featured Writers
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-09-19
An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations...
PUBLISHED: 2018-09-19
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...