Alongside delivering ransomware, TrickBot reignites the bank fraud game. Usually, TrickBot alludes to a botnet and banking trojan to steal monetary subtleties, account accreditations, and personally recognizable information. Researchers claim that the TrickBot Trojan now incorporates MitB (man-in-the-browser) capabilities to withdraw or steal online banking credentials. The modus operandi seems like the early banking trojan called Zeus.
Without a doubt, this sends red flags of an upcoming wave of fraud attacks. In May 2021, TrickBot remained one of the most mainstream malwares, with a global impact of 8% of organizations. XMRig and Formbook trail it; each of both affects 3% of worldwide organizations.
The Notoriety of TrickBot
TrickBot is a famous and sophisticated modular threat. It attracted notoriety for viciously withdrawing credentials and effectively delivering several follow-on ransomwares and other malware. It began to work exclusively as a banking trojan. It intended to redirect unsuspecting users to mischievous copycat websites to steal online banking credentials.
As indicated by Kryptos Logic, TrickBot has now incorporated support for web-inject configs like Zeus in an updated version of the module. It paves the way to insert malicious code dynamically to target banking-site destinations. By the way, Zeus was the dominant banking trojan on the crimeware scene until 2011, while its source code got disclosed. A range of malware has since begun to pick different parts of its functionalities to add to their code.
The injection is carried out by proxying traffic utilizing a local SOCKS server. It refers to a trick, also discovered in IcedID’s MitB web-inject module. When a sufferer visits an affected URL, the traffic moving through the listening proxy gets dynamically changed in like manner.
Reports Of a New Ransomware Strain Called Diavol
While TrickBot has restarted its bank fraud game, there are also reports of a new ransomware strain in parallel. Essentially, the latest research claims that the threat actors behind the notorious TrickBot malware released the new ransomware called Diavol.
By all accounts, cybercriminals have deployed Diavol only once to date. The source code of the payload shares a resemblance with that of Conti ransomware. Another thing to bring to your attention is that the ransom note appears to rephrase some language from ransomware called Egregor. Until now, it is still unclear what was the source of the intrusion.
The encryption procedure of Diavol ransomware leverages user-mode Asynchronous Procedure Calls with an asymmetric encryption algorithm. It sets it to stand out from other ransomware families. It is because they often bring to use symmetric algorithms, helping them boost up the encryption process. Moreover, Diavol does not exploit anti-disassembly trice, so it lacks any obfuscation. But it turns analysis difficult by storing its primary routines within bitmap images.
In the sphere of cybersecurity, the occurrence of development is noteworthy. It embarked on its journey, given that TrickBot has moved forward from its banking trojan days. Subsequently, TrickBot began to concentrate solely on first-stage and multipurpose malware. Often than not, it is the precursor to a ransomware infection. It also conducts lateral propagation through a network environment before deploying a closing payload, which is usually ransomware.
In conclusion, TrickBot is looking forward to reviving its bank fraud game, given that it resumed the development of the web-inject module. It is a sudden action from the actors behind the TrickBot malware, who were dormant for over a year. Along these lines, you can contact LIFARS 24/7 in case of any cybersecurity need.