World’s most wanted hacker Evgeniy M. Bogachev
Over a dozen UK banks have been added to TrickBot's target list, IBM warns iStock

Security researchers from IBM Security have warned that a strain of banking Trojan, dubbed TrickBot, is escalating attacks against UK banks and financial institutions. The operators of the malware have launched five campaigns this month alone, it has been revealed.

In its current configuration, the financial Trojan is targeting a slew of private banks, wealth management firms, investment companies and insurance businesses, claimed Limor Kessem, one of the top cyber-intelligence experts at IBM's X-Force, in a blog post this week (27 April).

One of the UK targets, although left unnamed, is reportedly one of the "oldest banks in the world."

"The operators have been doing a lot of homework," Kessem continued. "TrickBot has added 20 new private banking brands to its regular attack roster, as well as eight building societies," she added.

Other recently added targets included two Swiss banks and four investment firms in the US.

In total, it can use its "redirection attack" against 300 unique URLs. This typically involves injecting malware into a website to redirect a user to a separate website managed by hackers.

If successful, the hackers' website will look identical to the targeted page, and real credentials will be compromised if a victims fails to notice any change. The malware has grown from three major campaigns-per-month to five in April 2017 alone, the experts found.

Kessem said: "It is possible that TrickBot's operators are increasing their spam runs in the target geographies and attempting to infect more endpoints before going into an attack phase next. In terms of its attack types [...] its signature moves are browser manipulation techniques.

"The expanded target list, as well as the focus on new brands and high-value account types, means that this nefarious group is setting its sail and likely plans to deploy its crimeware in new territory."

TrickBot first emerged in mid-2016, likely from the ashes of a previous malware strain, and caused a splash by targeting financial institutions across Asia, Australia and New Zealand, later evolving to hit the UK, Germany and Canada. The identity of its operators remains a mystery.

In November last year, malware researcher Lior Keshet described TrickBot as "undoubtedly the work of professionals who have been around the banking Trojan scene for some time."

He elaborated: "These experienced fraudsters are apparently well-versed in the modern features common to the types of malware banks reckon with nowadays. We expect to see this Trojan evolve its anti-security and anti-research techniques."