A new Trickbot Trojan variant is targeting Verizon Wireless, T-Mobile, and Sprint users, confirming the evolution of the threat.

TrickBot is a popular banking Trojan that has been around since October 2016, its authors has continuously upgraded it by implementing new features. For example, in February Trend Micro detected a variant that includes a new module used for Remote App Credential-Grabbing.

Initially, TrickBot only included banking Trojan capabilities, over the years the authors implemented new features such as the ability data-stealing functionalities and the capability to drop other payloads.

Now researchers at Secureworks Counter Threat Unit (CTU) discovered a new TrickBot version that includes new dynamic webinjects in attacks aimed at U.S. mobile users.

The researchers observed that the authors, tracked as GOLD BLACKBURN, added new modules to steal information of US mobile users, in particular, experts observed that a module to target Verizon Wireless users was included on August 5, one for T-Mobile customers on August 12, and another to target Sprint users on August 19.

“When a victim navigates to the website of one of these organizations, the legitimate server response is intercepted by TrickBot and proxied through a command and control (C2) server.” reads the analysis published by SecureWorks. “This C2 server injects additional HTML and JavaScript into the page, which is then rendered in the victim’s web browser. For all three carriers, injected code causes an additional form field that requests the user’s PIN code,”

When the users of the US mobile carriers visit the websites of the companies, TrickBot intercepts the server response and proxies through a C2 server that injects the code to the page that requests additional user’s data, such as the PIN code.

The inclusion of code for stealing mobile PIN codes and other personal users suggests that GOLD BLACKBURN, or affiliated threat actors, are interested in carrying out port-out or SIM swap fraud.

“This fraud allows an attacker to assume control of a victim’s telephone number, including all inbound and outbound text and voice communications. The interception of short message service (SMS)-based authentication tokens or password resets is frequently used during account takeover (ATO) fraud.” continues the report.

Researchers suggest organizations and users to adopt time-based one-time password (TOTP) MFA rather than SMS-based multi-factor authentication (MFA).

“Similarly, telephone numbers should not be used as password reset options on important accounts. Enabling a PIN on mobile accounts remains a prudent anti-fraud measure that requires an attacker to possess an additional piece of information about their intended victim.” continues the report.

SecureWorks report also includes Indicators of compromise (IOCs) for this TrickBot variant.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini