Show vulnerabilities with patch / with exploit
4 December 2019

TrickBot operators set their sights on Japanese banks ahead of holiday season


TrickBot operators set their sights on Japanese banks ahead of holiday season

Operators of one of the most active banking malware families knows as TrickBot have been modifying some of the trojan’s modules as they rump up global attacks in preparation for the holiday season. While previously TrickBot campaigns have been focused mostly on Western and English-speaking countries (although the malware also has been known to target other parts of the world) now the threat actor set its sights on Japan, with Japanese banks becoming the main target, IBM X-Force research team reports.

While the TrickBot malware has been spotted in other regions, this marks the first time TrickBot has been seen at Japanese banks. So, as the the holiday season is approaching, the X-Force researchers urge shoppers in Japan to exercise caution when making purchases on e-commerce sites or visiting cryptocurrency exchange platforms. While most campaigns aim for online banking (76%), e-commerce (5%), payment cards (3%), credit unions (3%), and Bitcoin exchanges (3%) are also targeted

“TrickBot configurations have been loaded with hundreds of targeted URLs, most belonging to banks, but some nontraditional targets in recent lists were also recognized, such as fuel cards, a hotel chain and an industrial supply company, to name a few,” the researchers said.

In the campaigns targeting Japanese entities TrickBot has been delivered via malicious spam distributed by the Emotet botnet. Most attacks involved Web injections on banking websites, which ultimately lead to bank fraud. One of TrickBot's frequently used tactics, pulled from the attacker's server, involves tricking victims into sharing personal data, payment card details and PIN codes, as well as transaction authorization elements.

The researchers also have warned about the potential of TrickBot attacks turning into Ryuk ransomware attacks, as “a kill chain that begins with Emotet and TrickBot infections has been known to result in Ryuk attacks,” leading to widespread ransomware infections that can cripple organizations and cost them a lot of money.

Over the past decade, banking trojans have become one of the most actively used tools on the cybercriminal scene, evolving into encreasingly stealthy and sophisticated codes. According to X-Force team, TrickBot tops the list of the most-active malware with the infection rate of 23%, followed by similar modular trojans Ramnit (20%), Gozi (15%), Qakbot (9%), and IcedID (8%).

Back to the list

Latest Posts

11 0Day vulnerabilities were discovered in the first half of 2020

11 0Day vulnerabilities were discovered in the first half of 2020

According to preliminary estimates of experts, in 2020 there will be as many 0Day vulnerabilities as in 2019.
3 August 2020
Researcher has published details of multiple Tor security issues

Researcher has published details of multiple Tor security issues

The expert also intends to disclose information about at least three alleged zero-day vulnerabilities.
31 July 2020
Microsoft will remove all Windows downloads signed with SHA-1

Microsoft will remove all Windows downloads signed with SHA-1

SHA-1 Windows content will be retired from the Microsoft Download Center on August 3, 2020
30 July 2020