New Trojan malware campaign sends users to fake banking site that looks just like the real thing
The Trickbot Trojan targets banks around the world.
Image: iStockA notorious banking Trojan is targeting customers of a major bank with a new email spam campaign that directs victims to a fake login page indistinguishable from their real bank.
The credential-stealing Trickbot banking malware has been hitting the financial sector since last year and targets online banking customers in in the US, UK, Australia and other countries.
Those behind this particular banking Trojan are continually developing it and have even been experimenting with EternalBlue, the Windows exploit that helped spread WannaCry and Petya.
But no matter how advanced malware gets, phishing remains a common attack vector for distributing malicious payloads.
Uncovered by cyber security researchers at Cyren, this latest Trickbot distribution campaign sent over 75,000 emails in 25 minutes, all claiming to be from Lloyds Bank, one of the UK's biggest banks.
Emails were sent with the subject 'Incoming BACs', referring to BACs, a system for making payments directly from one email account to another and claim that the target needs to review and sign attached documents.
A phishing email claiming to be from Lloyds used to distribute Trickbot.
Image: CyrenAfter downloading and opening the Excel attachment - IncomingBACs.xlsm - the user is asked to enable macros to allow the document to be edited, but as with many malicious email campaigns, it's this process that allows the malware payload to be deployed.
In this case, the Trojan uses PowerShell to download an executable file, which eventually runs as 'Pdffeje.exe', the main TrickBot process, installing the malware onto the machine.
Once a computer is infected with Trickbot, the malware runs in the background and waits for the victim to visit their online bank.
When the victim visits their online bank, Trickbot redirects them to a malicious site, which in this case was a fake version of the Lloyds website that looked exactly like the real thing - complete with the correct URL of the online bank and a legitimate SSL certificate, so the user wouldn't suspect they were being tricked.
"By using HTML and JavaScript, the malicious site is able to display the correct URL and the digital certificate from the genuine site on the malicious page," Sigurdur Stefnission, vice president of threat research at Cyren told ZDNet.
By doing this, the attacker is able to see and steal the victim's online banking credentials and security codes and make off with their funds and data.
While the phishing campaign looks highly legitimate - even showing the user the correct URL of the online bank and a legitimate SSL certificate so the user doesn't see anything unusual - there's one major give-away that the email isn't from Lloyds - the email address it is sent from is spelled incorrectly.
Instead of being from lloydsbank.co.uk, the message is sent from lloydsbacs.co.uk, a domain hosted by a Dutch IP address and a known source of spam.
At its core, TrickBot remains similar to its predecessor, the data-stealing Dyre Trojan, with its signature browser manipulation techniques.
While it isn't as prolific as the likes of Zeus, Gozi, Ramnit, and Dridex, researchers warn that Trickbot will continue to be "formidable force" in future, as its authors look to add more potent capabilities in order to distribute this dangerous malware.
"TrickBot evolves and changes almost everyday and targets new banks all over the world, so all banks should be on alert," said Stefnission.
It's currently not clear who is behind Trickbot, but the way the malware is continually evolving suggests it's the work of a well-organised, well-funded cyber criminal group.
ZDNet contacted Lloyds Bank for comment, but hadn't received a response at the time of publishing.
MORE ON CYBER CRIME
from Latest Topic for ZDNet in... http://ift.tt/2wWV5EU