TrickBot trojan was released in the September (2016). It was discovered by the cyber security researchers of Fidelis Cybersecurity and is generally regarded as the new version of Dyre, also known as Dyreza – the Russian banking trojan, which had been active since 2014. The latter malware, or better to say the hackers behind Dyre, were defeated in the November of 2015. Nevertheless, 10 millions of dollars from customers of more than a thousand financial institutions and other organizations (e.g. Ryanair) had been stolen. Now we can observe its come back in the form of the new TrickBot malware. TrickLoader, which is the first part of TrickBot trojan, proves that it is a succession of Dyre. These two banking trojans have both: similarities and differences.
The Analysis of TrickBot Trojan in Comparison with Dyre
The major differences between TrickBot and Dyre trojans are the following. TrickBot is written in C++, while Dyre was for the most part coded in the C programming language. TrickBot uses MS-CAPI (Microsoft Cryptographic Application Programming Interface) and COM (Component Object Model), while Dyre utilized onboard SHA-256 or AES hashing routine. TrickBot adds itself as a task in Windows Task Scheduler to automatically perform routine tasks on the computer, while Dyre performed the commands by itself.
The similarities between the two kindred malware are the following. TrickBot’s code seems to be the rewritten version of that of the Dyre’s. The malware loader TrickLoader is used by the both trojans. Cutwail spambot is also shared by the two malwares. TrickBot trojan uses a slightly altered version of C2 decryption utilized by Dyre. As it will be more explicitly explained in the one of the sections below, TrickBot malware is also spread in the similar way Dyre was being distributed.
How are the Attacks by TrickBot Trojan Carried out?
The first variant of TrickBot virus was designed to gather the system information of the certain websites of the Australian banks (specified below). Starting from the 13th of October, 2016, the improved version uses web injections to assault the bank accounts holders. The malicious code is injected into the websites and it runs locally in the web browsers on the compromised computers. It creates a custom crypto algorithm to encrypt the data and hijacks transactions in the background.
How is TrickBot Trojan Spread?
TrickBot trojan is spread in the manner, which is commonly shared by trojan viruses, including the species of cryptomalwares. The hackers launch a spam campaign. Spam e-mails with the malicious attachment or the malicious link is sent to random e-mail addresses with the help of Cutwail spam botnet. Unfortunately, users are still to naive or inattentive so as to click on the links or open the attachments added, when both of these careless actions results in the execution of the payload of the trojan virus. Rig EK (Exploit Kit) is also associated with the distribution of TrickBot banking trojan.
What does TrickBot Trojan Aim at?
As it have been already mentioned, the primary target of TrickBot trojan is the banks located in Australia. The configuration targets of the malware are the following: cibconline.cibc.com (Canadian Imperial Bank of Commerce website), anz.com (the website of Australia and New Zealand Banking Group), banking.westpac.com.au (Australia from Westpac Banking Corporation web page), ib.nab.com.au (the site of the National Australia Bank) and ibanking.stgeorge.com.au (St.George Bank web page). TrickBot virus is expected to expand on the banks in the United States.
How to Remove TrickBot Trojan from One Computer’s System?
To remove TrickBot trojan apply professional software such as Spyhunter. It is important that the latter malware removal tools were updated regularly, since such cyber threats as trojans bear a high tendency of evolving rapidly.
Automatic Malware removal tools