Public Service Announcement: The Trickbot Trojan Comes to the US

Jul. 21, 2017 | by BioCatch

As Dark Reading reported yesterday, the Trickbot Trojan that BioCatch has been following among its European clients since last year, has now hit the U.S. market. The Trickbot Trojan is spread by the Necurs botnet and was developed to hit 50 banks including 13 companies based in the US. (Necurs, one of the largest spamming botnets in the world, emerged in 2012 and has since become known for propagating spam campaigns and distributing malware.) This shows the continuous rise in the sophistication of fraudsters, and continued trends in fraud starting in other parts of the world, and tactics refined, before hitting the US market. Trickbot attacks allow fraudsters to takeover users accounts via remote access.

We originally published this post in December 2016, but are posting it again as a public service announcement. Here's what you need to know:

Trojan Targets, IBM.png
(TrickBot’s current bank targets, Source IBM)

  1. Trojans such as Trickbot combine RAT and redirection techniques to conduct sustained, multi-phased campaigns. The Trojan slowly manipulates victim accounts until ready to deploy a standard Remote Access protocol (VNC) completely invisible to device recognition and geo-location tools. After switching off all active components of the malware, they open a browser from within the genuine victim machine, log into online banking and proceed uninterrupted to empty the victim's account.
  2. The similarities between this new piece of malware and the Dyre banking Trojan have researchers wondering if there’s a connection. For instance, both used a similar loader.
  3. The Trickbot was written in C++, utilizes Microsoft CryptoAPI, and interfaces with Task Scheduler rather than running commands directly.
  4. Trickbot combines user redirection and RAT and has a powerful server-side MITB web injection mechanism that allows it to dynamically inject scripts into the user browser.
  5. Trickbot can be detected with behavioral biometrics. The user’s and the Trickbot’s operator mouse behavior can be differentiated. Perhaps due to the challenging hand-eye coordination of a remote access, the operator normally uses keys to select currencies and scroll up and down, preferring the keyboard to using the mouse.

Malware is constantly evolving as cybercriminals network with other botnet and malware distributors. Financial institutions need to always be learning to identify, detect and protect against these threats.

BioCatch’s unique approach to finding RATs monitors looks beyond the initial authentication and analyzes the way a user interacts with an application or device without interfering with the user experience. Tracking the user’s unique profile passively throughout the entire session, BioCatch can instantly detect and alert the bank when it spots abnormal user behavior consistent with RAT, even if the logon authentication credentials were valid.

For more information on the Trickbot Trojan and other related Remote Access Trojans, download our White Paper, Protect Online Banking from Remote Access Trojan (RAT) Attacks.

WP - RAT v2 Cover Image.png

Kessem, L. (2016, November 8). TrickBot Banking Trojan Could Be Dyre Rewrite.
Trickbot: We Missed You, Dyre. (2016, October 15).
Spring, T. (2016, November 8). TrickBot Banking Trojan Adds New Browser Manipulation Tools.

 Protect Online Banking from RAT-in-the-Browser (RitB) Attacks