4 December 2019

TrickBot operators set their sights on Japanese banks ahead of holiday season


TrickBot operators set their sights on Japanese banks ahead of holiday season

Operators of one of the most active banking malware families knows as TrickBot have been modifying some of the trojan’s modules as they rump up global attacks in preparation for the holiday season. While previously TrickBot campaigns have been focused mostly on Western and English-speaking countries (although the malware also has been known to target other parts of the world) now the threat actor set its sights on Japan, with Japanese banks becoming the main target, IBM X-Force research team reports.

While the TrickBot malware has been spotted in other regions, this marks the first time TrickBot has been seen at Japanese banks. So, as the the holiday season is approaching, the X-Force researchers urge shoppers in Japan to exercise caution when making purchases on e-commerce sites or visiting cryptocurrency exchange platforms. While most campaigns aim for online banking (76%), e-commerce (5%), payment cards (3%), credit unions (3%), and Bitcoin exchanges (3%) are also targeted

“TrickBot configurations have been loaded with hundreds of targeted URLs, most belonging to banks, but some nontraditional targets in recent lists were also recognized, such as fuel cards, a hotel chain and an industrial supply company, to name a few,” the researchers said.

In the campaigns targeting Japanese entities TrickBot has been delivered via malicious spam distributed by the Emotet botnet. Most attacks involved Web injections on banking websites, which ultimately lead to bank fraud. One of TrickBot's frequently used tactics, pulled from the attacker's server, involves tricking victims into sharing personal data, payment card details and PIN codes, as well as transaction authorization elements.

The researchers also have warned about the potential of TrickBot attacks turning into Ryuk ransomware attacks, as “a kill chain that begins with Emotet and TrickBot infections has been known to result in Ryuk attacks,” leading to widespread ransomware infections that can cripple organizations and cost them a lot of money.

Over the past decade, banking trojans have become one of the most actively used tools on the cybercriminal scene, evolving into encreasingly stealthy and sophisticated codes. According to X-Force team, TrickBot tops the list of the most-active malware with the infection rate of 23%, followed by similar modular trojans Ramnit (20%), Gozi (15%), Qakbot (9%), and IcedID (8%).

Back to the list

Latest Posts

ShadowSyndicate ransomware group targeting Aiohttp flaw

ShadowSyndicate ransomware group targeting Aiohttp flaw

Organizations are urged to update to Aiohttp v3.9.
18 March 2024
The International Monetary Fund discloses cyberattack affecting 11 email accounts

The International Monetary Fund discloses cyberattack affecting 11 email accounts

The organization did not share any additional details regarding the nature of the attack.
18 March 2024
E-Root Marketplace operator sentenced to 3.5 years in prison

E-Root Marketplace operator sentenced to 3.5 years in prison

It is estimated that over 350,000 compromised credentials were listed for sale on the E-Root Marketplace.
18 March 2024