IBM Researchers Describe How ‘TrickMo,’ a TrickBot Variant, Works
A variant of the TrickBot Trojan bypasses two-factor authentication for mobile banking, for example, by intercepting one-time codes sent over SMS, according to IBM X-Force.
See Also: Live Webinar | How to Identify & Address Risk with Attack Simulation
So far, the malware has targeted banking customers in Germany, but the researchers say it’s likely to spread elsewhere and remains in active development.
The malware, which IBM X-Force researchers have dubbed “TrickMo,” is disguised as a security app from a bank and is designed to be installed only on Android mobile devices. The fake app, once downloaded, infects the user’s device and enables the attacker to take over.
Back to Bank Fraud
While TrickBot began life as a banking Trojan in the early 2010s, the malware has evolved into a cybercrime-as-a-service model that can be used for a variety of purposes, including delivering secondary attacks, such as ransomware. The IBM report, however, suggests that cybercriminals remain interested in using its for bank fraud.
“Germany is one of the first attack turfs TrickBot spread to when it first emerged in 2016,” according to the IBM X-Force report. “In 2020, it appears that TrickBot’s vast bank fraud is an ongoing project that helps the gang monetize compromised accounts.”
How TrickMo Works
TrickMo was first spotted by the federal computer emergency response team of Germany, or CERT-Bund, in September 2019, the IBM X-Force report notes.
Aufgepasst beim #Online #Banking:#Emotet lädt #Trickbot nach. Auf infizierten PCs blendet Trickbot beim On-line-Banking eine Abfrage nach der Mobiltelefonnummer und des Gerätetyps ein und fordert Nutzer anschließend zur Set up einer angeblichen Sicherheits-App auf. pic.twitter.com/QHfmYojZxK
— CERT-Bund (@certbund) September 20, 2019
TrickMo targets victims whose Home windows PCs had beforehand been contaminated by TrickBot, which gathers knowledge from an internet browser, based on the report. This enables attackers to make use of the net injection characteristic of TrickBot to ship faux messages spoofing a financial institution asking victims for his or her cellphone numbers and what sort of cell system they use and inspiring them to obtain a “safety app” from the financial institution to their cell system to guard their accounts, the IBM report notes.
As soon as the faux app is downloaded to an Android cell system, the TrickMo malware is put in, based on the report. TrickMo can then steal private system info,
intercept SMS messages, document focused purposes for one-time passwords, lock down the cellphone, steal photos after which self-destruct, IBM researchers clarify.
The malware additionally makes an attempt to entry Android’s accessibility companies, that are designed to help customers with disabilities, the report notes. This allows TrickMo to realize close to whole management of the contaminated system, with the malware changing into the default SMS app.
Along with capturing one-time passwords despatched over SMS, the TrickMo malware can intercept newer authentication strategies, equivalent to
transaction authentication numbers, which some German banks use for an extra layer of safety past one-time passwords. To do that, the malware takes a screenshot of the quantity and sends that again to the attackers by means of a command-and-control server, based on the report.
The IBM researchers observe that TrickMo can accumulate sufficient knowledge about an contaminated Android cellphone to breed its digital “fingerprint.”
Any such info may be bought on the darkish net or utilized by fraudsters who’re making an attempt to imitate reputable transactions from a smartphone that has already been authenticated by the financial institution, based on the researchers.
“For instance, since some banks use anti-fraud options that solely test system fingerprinting, fraudsters can use the collected info to carry out fraudulent transactions from a tool that mimics that very same fingerprint,” the IBM report notes.
As a consequence of its modular nature of TrickBot, its operators and people who hire it as a service, are in a position to differ the Trojan to fulfill their wants.
Earlier this month, the safety agency Bitdefender found a brand new variant of TrickBot that makes use of distant desktop protocol brute-force strategies to focus on potential victims and bypass safety protocols (see: New TrickBot Variant Targets Telecoms in US, Asia: Report).