Before switching to Trickbot, the Necurs botnet had been known primarily for distributing Locky and Jaff ransomware.
Before switching to Trickbot, the Necurs botnet had been known primarily for distributing Locky and Jaff ransomware.

The Trickbot banking trojan has a couple of new tricks up its sleeve: leveraging the Necurs botnet to spread via spam emails, while expanding its webinject capabilities in order to victimize customers of U.S. banks, researchers from Flashpoint have reported.

In a blog post published last week, Flashpoint reported discovering this new version Trickbot, which steals banking credentials via man-in-the-browser attacks, on July 17, 2017. The Necurs-fueled campaign, named "mac1," has so far struck in at least three separate waves of spam, targeting the U.S., UK, New Zealand, France, Australia, Norway, Sweden, Iceland, Finland, Canada, Italy, Spain, Switzerland, Luxembourg, Belgium, Singapore and Denmark, the post continues.

The first wave of spam delivered emails with a zip-archived Windows Script File attachments containing obfuscated JavaScript code. One email sample pretended to be a bill from an Australian telecom company, informing the recipient that his or her payment was overdue.

Later waves eschewed the WSF scripts in favor of documents that were sabotaged with malicious macros.

When a user opens these malicious attachments, Trickbot commences the infection process, downloading its main payload, copying itself for persistence and retrieving additional modules as needed. When that same user opens a browser to visit a banking site, the malware will then use its webinject capabilities to insert a fake login page where victims unknowingly feed their banking information to the cybercriminals running the campaign.

Before switching to Trickbot, the Necurs botnet, which operates as a crimeware-as-a-service offering, had been known primarily for distributing Locky and Jaff ransomware, Flashpoint noted. "As of now, it is not entirely clear why the Locky and Jaff ransomware stopped being distributed via the Necurs botnet; however, it is likely that the Trickbot spam proliferation might currently yield higher returns for the Necurs administrator than the other ones," said Vitali Kremez, Flashpoint researcher director and a co-author of the blog post, in an email interview with SC Media.

"Since the Trickbot banking Trojan's mac1 campaign remains fueled by the powerful Necurs botnet, it will likely continue to evolve and target customers of U.S. and international financial institutions," explains the blog post, which also co-written by Paul Burbage, senior analyst. "Anti-fraud programs are an important part of many [financial institutions'] programs to detect and counter this threat to their customer base. As threats posed by malware such as Trickbot continue to emerge and their targets expand, it is crucial for all organizations and its users to be extra vigilant in their security practices."

As has been reported previously, the Trickbot trojan bears many similarities to the defunct Dyre banking trojan, which disappeared following Russian law enforcement raids of the Dyre cybercrime group. Flashpoint speculates that Trickbot's author may have intimate knowledge of Dyre or simply is borrowing its old source code.

Although Flashpoint stated that this was the first Trickbot variant to incorporate U.S. banks into its webinject configurations, there have in recent months been other reports that  referenced Trickbot attacks on U.S. financial institutions, including four investment banking firms in the U.S.