A new variant of Trickbot banking Trojan targets Verizon, T-Mobile, and Sprint users

A new Trickbot Trojan variant is targeting Verizon Wireless, T-Mobile, and Sprint users, confirming the evolution of the threat.

TrickBot is a popular banking Trojan that has been around since October 2016, its authors has continuously upgraded it by implementing new features. For example, in February Trend Micro detected a variant that includes a new module used for Remote App Credential-Grabbing.

Initially, TrickBot only included banking Trojan capabilities, over the years the authors implemented new features such as the ability data-stealing functionalities and the capability to drop other payloads.

Now researchers at Secureworks Counter Threat Unit (CTU) discovered a new TrickBot version that includes new dynamic webinjects in attacks aimed at U.S. mobile users.

The researchers observed that the authors, tracked as GOLD BLACKBURN, added new modules to steal information of US mobile users, in particular, experts observed that a module to target Verizon Wireless users was included on August 5, one for T-Mobile customers on August 12, and another to target Sprint users on August 19.

“When a victim navigates to the website of one of these organizations, the legitimate server response is intercepted by TrickBot and proxied through a command and control (C2) server.” reads the analysis published by SecureWorks. “This C2 server injects additional HTML and JavaScript into the page, which is then rendered in the victim’s web browser. For all three carriers, injected code causes an additional form field that requests the user’s PIN code,”

When the users of the US mobile carriers visit the websites of the companies, TrickBot intercepts the server response and proxies through a C2 server that injects the code to the page that requests additional user’s data, such as the PIN code.

The inclusion of code for stealing mobile PIN codes and other personal users suggests that GOLD BLACKBURN, or affiliated threat actors, are interested in carrying out port-out or SIM swap fraud.

“This fraud allows an attacker to assume control of a victim’s telephone number, including all inbound and outbound text and voice communications. The interception of short message service (SMS)-based authentication tokens or password resets is frequently used during account takeover (ATO) fraud.” continues the report.

Researchers suggest organizations and users to adopt time-based one-time password (TOTP) MFA rather than SMS-based multi-factor authentication (MFA).

“Similarly, telephone numbers should not be used as password reset options on important accounts. Enabling a PIN on mobile accounts remains a prudent anti-fraud measure that requires an attacker to possess an additional piece of information about their intended victim.” continues the report.

SecureWorks report also includes Indicators of compromise (IOCs) for this TrickBot variant.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini



FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase