Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
09:00 AM
Sara Boddy
Sara Boddy
Partner Perspectives
Connect Directly

TrickBot Rapidly Expands its Targets in August

TrickBot shifted its focus to U.S banks and credit card companies, soaring past the 1,000 target URL mark in a single configuration.

Doron Voolf and Jesse Smith also contributed to this article.

Compared to the most recent version we examined in July (v24), TrickBot’s target URL list has grown significantly, surpassing the 1,000 mark for the first time with notable increases in US targets.

TrickBot authors also introduced a worm module in v29 that spreads locally through SMB, a port usage we questioned when it turned up on the command and control (C&C) list in v24. Starting with v29, we began analyzing the infection targets separately by static injection (sinj) targets, which are redirection attacks, and dynamic injection (dinj) targets, which are webinjects. Whereas there are more dinj targets in total, there has been a sharp rise in sinj targets in the latest analyzed configurations.

URL Target Analysis
US financial institutions were the most targeted starting in v28 (185 URLs), followed by Australia, Spain, and Canada, which stayed consistent through v29 and v30. Rounding out the top 5 country targets was the "unknown" group. The top five company targets are led by "unknown" with 46 URLs, and followed by Chase, PayPal, American Express, and Bank of America. Little change in the URL targets occurred in v29 with the introduction of the worm module, but v30 saw the addition of 40+ US targets and a handful of new Canadian targets, moving Citibank into the third most targeted position. We also saw Amazon begin to be targeted for the first time, with 10 URLs present in the dinj target list.

Version 31 featured more Australian, New Zealand, Singapore, UK, and "unknown" targets. No URLs at all were dropped from v30, and we saw 159 added, while the company target list remained the same from v30. Version 32 saw almost twice as many URL targets as v31, even though 119 targets from v31 were dropped. There is a large focus on the US and UK, and the Nordic banks (previously observed in v24) are back.

In many instances, it appears that the targets for v32 were simply a combination of targets from previous versions. Almost all of the countries with eight or less targets appearing in v32 did not appear in v31, but did appear in v24. The Nordic countries behaved similarly: they did not appear in v31, but 78% of their URLs did appear in v24. Most of the increase in targets in this version are attributable to recycling older targets from previous versions that had been discarded over time. Notably, Amazon was discarded as a target in v32.

"Unknown" URL Target Analysis
URLs in this group often resemble "*/business/login/Login.jsp*", about which it is impossible to make a target determination. Every "unknown" URL target is a dinj (webinject) target, which makes sense; static inject targets need to be sure of what page the user is attempting to access in order to serve up a convincing redirect, while webinject targets merely need to insert malicious code into legitimate pages.

These "unknown" URLs could be used to target groups of banks all relying on a single online platform with an identical subdomain architecture. For instance, Bank XQW could use "www.bankxqw.com/business/login/Login.jsp", while Bank QRS could use "www.bankqrs.co.uk/business/login/Login.jsp". Both banks would be affected by the example "unknown" dinj target URL, allowing TrickBot to target multiple banks with a single URL. Certain URLs within the TrickBot target list strongly suggest this intent.

There was also a large number of URLs in the form of "*/snapshoot/#", "*/rcrd/#", and */getq/#" targets; a few were wildcarded versions of URLs from Dyre, but most differed in the specific number used at the end of the URL from those seen in Dyre target lists. In the original Dyre configuration, these URLs took the form of "bankqrs.com/snapshoot/###", with a different 1, 2 or 3-digit number assigned to different companies. When they appeared on both the TrickBot and Dyre target lists, comparing these numerical identifiers allowed us to determine which company was being targeted. It is also possible that these URLs were not targeting a specific firm at all, and so we hesitate to offer definitive analysis on these URLs at this time, other than to note that they are unusual and worth our further attention.

C&C Locations and Owners
It’s well known that TrickBot hosts its C&C servers on compromised wireless routers. Prior to IoT devices being used as attacker infrastructure (hosting malware and growing thingbots), it was unusual to see the US have such a large portion of the pie because it’s typically not hard to get nefarious activity hosted in the US shut down quickly. JSC Mediasoft had the most used networks for hosting TrickBot C&C servers (10 of Russia’s 15), followed by OVH; the 9 US C&C servers are spread out among 8 separate networks.

The unusual targets that stood out in our analysis were the rise in US-based firms—especially credit card companies. In addition to credit card companies, we have seen some development of net new URLs. This indicates some level of effort being placed on refining the target set, but there is still an overwhelming reliance on the target set found in the Dyre malware, circa late 2015.

This partly explains how TrickBot is able to go through so many iterations so quickly. It’s time-consuming to research all the appropriate URLs for all the financial services providers in a specific country, but almost all of that work has been done before. TrickBot’s authors can simply swap in the set of URLs they want from Dyre, make some tweaks based on updates to banks’ login sequences, and spend the rest of their time focusing on making the code itself more effective. We anticipate that TrickBot will continue to focus on the same firms targeted by Dyre through 2015, and will continue to make small modifications to the URLs to improve the effectiveness of their targeting.

Get the latest application threat intelligence from F5 Labs.

Sara Boddy currently leads F5 Labs, F5 Networks' threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...