Operators of one of the most active banking malware families knows as TrickBot have been modifying some of the trojan’s modules as they rump up global attacks in preparation for the holiday season. While previously TrickBot campaigns have been focused mostly on Western and English-speaking countries (although the malware also has been known to target other parts of the world) now the threat actor set its sights on Japan, with Japanese banks becoming the main target, IBM X-Force research team reports.

While the TrickBot malware has been spotted in other regions, this marks the first time TrickBot has been seen at Japanese banks. So, as the the holiday season is approaching, the X-Force researchers urge shoppers in Japan to exercise caution when making purchases on e-commerce sites or visiting cryptocurrency exchange platforms. While most campaigns aim for online banking (76%), e-commerce (5%), payment cards (3%), credit unions (3%), and Bitcoin exchanges (3%) are also targeted

“TrickBot configurations have been loaded with hundreds of targeted URLs, most belonging to banks, but some nontraditional targets in recent lists were also recognized, such as fuel cards, a hotel chain and an industrial supply company, to name a few,” the researchers said.

In the campaigns targeting Japanese entities TrickBot has been delivered via malicious spam distributed by the Emotet botnet. Most attacks involved Web injections on banking websites, which ultimately lead to bank fraud. One of TrickBot's frequently used tactics, pulled from the attacker's server, involves tricking victims into sharing personal data, payment card details and PIN codes, as well as transaction authorization elements.

The researchers also have warned about the potential of TrickBot attacks turning into Ryuk ransomware attacks, as “a kill chain that begins with Emotet and TrickBot infections has been known to result in Ryuk attacks,” leading to widespread ransomware infections that can cripple organizations and cost them a lot of money.

Over the past decade, banking trojans have become one of the most actively used tools on the cybercriminal scene, evolving into encreasingly stealthy and sophisticated codes. According to X-Force team, TrickBot tops the list of the most-active malware with the infection rate of 23%, followed by similar modular trojans Ramnit (20%), Gozi (15%), Qakbot (9%), and IcedID (8%).