A Bank of America customer uses an ATM at a branch office on July 14, 2021, in San Francisco. (Photo by Justin Sullivan/Getty Images)

The TrickBot malware has reemerged in recent weeks, hitting customers of at least 60 major U.S. financial firms, including Bank of America and Wells Fargo & Co., with phishing attacks through web injections. 

While this banking trojan posed a relatively simple onslaught, it has evolved into a more modular malware that can adapt to a “wide range of attacks,” according to Check Point Research.

“TrickBot has been evolving steadily since 2016. It started off as the incumbent to the Dyre trojan and botnet. TrickBot’s initial focus was on finance and online banking fraud, and it seems that they circled back around to their roots,” said Chuck Everette, director of cybersecurity advocacy for Deep Instinct.
“As many of the larger ransomware gangs have disappeared over the past six months, TrickBot has stayed active and elusive.”

TrickBot’s modular buildout that uses template-based metaprogramming, whose modular design can adapt and even includes an automated layered defense protection, is responsible for its elusiveness, according to Everette.

“This layered defense is making it very troublesome to the finance sector due to its ability to prevent researchers from digging into its inner workings and its ability to assist in invading cybersecurity solutions and controls. The TrickBot cybergang is like any other criminal organization — they follow the money. Currently the money is in cryptocurrency, and they are targeting it very heavily.”

Kevin Gonzalez, director of security for Anvilogic, said TrickBot is predominantly delivered through phishing emails, so organizations should have phishing awareness training for employees to identify fraudulent emails.

“Threat behaviors attributed to TrickBot can also be monitored, as following the execution of the initial phishing payload Javascript is often used to download the Trickbot payload,” Gonzalez said, adding there could be on-going attacks and negative on-going issues here.

Padraic O'Reilly, co-founder of CyberSaint, said that financial institutions practice relatively robust risk management with respect to cyber already.

“But most are trying to get more aggressive and do it in real time so that they can make better resourcing decisions on the fly,” O’Reilly said.

“They will need governance working closely with cyber risk teams to adequately address threats like TrickBot,” said O’Reilly. “Integrated risk management software, a nimbler version of GRC software, can make risk management more accurate and proactive.”