Credential-Stealing Financial Trojan Targets Banks

Credential-Stealing Financial Trojan Targets Banks

Financial institutions have long been the target of cyberattack, and today researchers at Cyberbit announced they have discovered a new variant of Trickbot, a modular malware and well-known financial Trojan that targets customers of large banks and steals their credentials.

Since first discovered in 2016, new variants have emerged, updated with new tricks and modules. Researchers analyzed Trickbot’s most recent infection vector – a malicious Word document – that only executes its macro after a user has both clicked “enable content” and resized the window by zooming in and out of the document.

Upon a user performing both of these functions, the macros execute a PowerShell that downloads and executes the Trickbot. Researchers noted that the variant leverages a variety of new evasion techniques, including a stealthy code-injection technique that performs process hollowing used for unpacking – as was seen in older samples of the Trickbot. With this variant, the process hollowing is done using direct system calls. In addition, by calling long/short sleeps, the malware sleeps for anywhere from 11 to 30 second and avoids sandboxes.

Trickbot also leverages anti-research/analysis using encryptions and useless function calls and avoids detection by disabling and deleting the Windows defender service. Attackers can leverage these techniques to steal users’ credentials and access their bank accounts.  

“Organizations should be aware of this new trend to directly call functions via system calls. This technique bypasses security tool hooks and therefore most security products will not detect this threat,” wrote Hod Gavriel in today’s blog post.

This latest discovery is one of a few emerging threats that banks and their customers are facing. Recent research published by ESET and CERT.PL noted a technique used with the BackSwap banker malware whereby it hooks the Windows message loop events to look for banking activity. According to a 6 August post from Cyberbit, BackSwap also was able to hide its code in fraudulent copies of legitimate computer programs.

Source: Information Security Magazine