Trickbot Banking Trojan Now Targets Both International and U.S. Banks

Malware often targets specific banks. Trickbot has proven to be a rather strange banking Trojan, as it mainly affects users belonging to a specific bank or financial institution in a particular region. The latest update for this infamous banking Trojan allows developers to target U.S. banks and their customers. The malware has received some upgrades under the hood as well.

Trickbot Goes After US Banks to Hit the Jackpot

Most malware developers aim to make a lot of victims in the United States. This is especially true for banking Trojans and other tools capable of stealing financial information. The U.S. is still considered to be the heart of global finance, and its banks process an inordinate number of transactions every single day. If a criminal were able to infiltrate that system and use it to his advantage, he would hit the proverbial jackpot.

That is exactly what the updated version of Trickbot attempts to achieve. Although this banking Trojan has been around for quite some time now, it never affected U.S. banks in the past. Most of its damage has been done through man-in-the-middle attacks outside of the United States. Going after the proverbial jackpot also comes with a whole new set of risks., begging the question as to why the developers decided to up the ante so suddenly.

New spam campaigns facilitated by the Necurs botnet have been identified over the past few months. All of these campaigns have tried to spread Trickbot malware to U.S. banks. It appears this updated version of the malware includes a customized redirection attack, among other new tricks. This new redirection attack is used to obtain login credentials, personal information, and even financial authentication codes. A lot of damage could be done if this information were to fall into the wrong hands.

Trickbot is currently distributed in the form of a Zip-archived email attachment that contains a Windows Script file that downloads and executes the malware in question. It is possible that other methods of distribution will become more prevalent over the coming weeks. It appears Trickbot is only targeting Windows machines right now, although it is still a bit too early in the game to tell for sure. This is only the beginning of a large-scale attack against U.S. banks and their customers.

It is important to note that this new version of Trickbot still targets non-U.S. banks as well, as that situation has not changed by any means. Every targeted region has its own customized redirection attack leveraging HTML or JavaScript injections. Visitors are redirected to malicious versions of the actual banking site where the malware successfully captures their login credentials and other sensitive details. Once the information is entered, users are apparently logged in and redirected to the legitimate page.

It is unclear how many people have been affected by this new version of Trickbot. This malware strain has the potential to cause a lot of havoc over the coming months and years, mainly due to its broad range of geographic targets. Users cannot tell the difference between the redirect website and the real version, making it incredibly difficult to spot the malware once it has infected a computer. This is a very troublesome situation, to say the least.