Security researchers have observed a new, Necurs-powered Trickbot spam campaign targeting international and US-based financial institutions. The notorious banking Trojan has been responsible for man-in-the-browser (MitB) attacks since 2016. Until now, however, the malware’s webinject configuration had only targeted organizations outside of the US. Researchers at Flashpoint discovered the new Trickbot spam campaign earlier this week, which was developed to hit 50 additional banks, including 13 US companies, reports Dark Reading. Dubbed “mac1,” the campaign has fueled at least three different spam waves, all of which have included the Trickbot loader as a final payload, said researchers.
“The initial spam wave contained an HTML email masquerading as a bill from an Australian telecommunications company. These malicious emails contained a Zip-archived Windows Script File (WSF) attachment consisting of obfuscated JavaScript code. Upon being clicked, the files download and execute the Trickbot loader. Although this wave utilized malicious WSF scripts as the initial vector of infection, subsequent campaigns have evolved and appear to instead utilize malicious macro-laden documents as their attachments,” explained the researchers in a blog post.
Source: Flashpoint Other targets include financial organizations located in: the UK, New Zealand, France, Australia, Norway, Sweden, Iceland, Canada, Finland, Spain, Italy, Luxembourg, Switzerland, Singapore, Belgium and Denmark. With the powerful Necurs botnet fueling the Trickbot Trojan’s mac1 campaign, experts believe it’s likely the malware will only continue to evolve and expand to other targets. “We think it’s capable of developing new features in the future. For now, it’s a banking Trojan with potential to move beyond that,” warned Vitali Kremez, director of research at Flashpoint. Based on their malware analysis, researchers also found significant similarities between Trickbot and the Dyre banking Trojan. “… it’s possible that Trickbot’s author may have either had deep knowledge of Dyre or simply re-used old source code,” researchers said.