F5 reported that apart from hitting banks and financial institutions, the TrickBot Banking Trojan has already stated targeting payment processors and Customer Relationship Management (CRM) providers.
TrickBot was initially noticed last summer, and first analyzed in October. By November 2016, the trojan was used in multiple spam campaigns in Austarlia and the United Kingdom, and next month, it showed up in Asia. It was just this year, when TrickBot started targeting the private banking sector.
The TrickBot Banking Trojan includes 26 configurations that were spotted last month, targeting banks in the UK, Ireland, France, Germany, Australia, US, Canada, New Zealand, Switzerland, the Netherlands, Bulgaria, India, Hong Kong, and Singapore.
F5 reported that the command and control (C&C) servers which were used in these campaigns were communicating with infected computers over port 443. Now the list of the TrickBot’s targets includes two CRM SaaS providers and two payment processing providers.
The security experts from F5 registered two TrickBot campaigns which were active in May, this year, with one configuration packing 210 URL targets and the other including 257 URLs. The two campaigns targeted the same US payment processor (PayPal), though, the CRM targets only appeared in the second campaign.
According to F5, the first campaign was focused mainly on banks (83% of URL targets) and PayPal (a payment processor attributed to the US), though, no US banks were targeted. 35 unique PayPal URLs in total were found in the configuration used in the above-mentioned campaign, which were targeted in the second campaign too, although it was mainly focused on the UK banks.
Yet, the second campaign expanded the list of targeted banking URLs and payment processors with the addition of a new payment processor URL in the UK. CRMs were also added to the list, such as Salesforce.com and an auto sales CRM developed by Reynolds & Reynolds in USA.
The F5 researchers identified 6 C&C IP addresses, all within European web hosting provider networks, three of which are operated by hosting firms in Asia. All of them use 443 / HTTPS for communication with the infected hosts, which let them hide the malicious traffic and escape detection, because many anti-virus solutions don’t inspect encrypted traffic.
“It seems the success of TrickBot thus far has influenced the authors to not only repeat their previous target list of banks from previous campaigns but to expand those targets to include new banks globally as well as CRM providers. The fact that C&C servers in these two most recent campaigns reside within web hosting companies is also significant, along with the fact that the C&C servers were different from those used in previous campaigns,” the F5 team states.
