Trickbot, a banking Trojan that targets financial institutions across the world, has just evolved and could soon have the ability to spread across networks just like the notorious WannaCry and NotPetya strains that caused global chaos earlier this year.
This week, Thursday 27 July, experts from enterprise cybersecurity firm Flashpoint observed a new version of the banking Trojan with "worm" capabilities. It could spread via spam email while impersonating invoices sent from an unnamed "international financial institution."
The updated version is still being tested, researchers said, but it is being designed to spread locally across networks via Server Message Block (SMB), the same method that WannaCry used back in May to infect more than 200,000 computers in 150 countries.
Luckily, it doesn't have the ability to randomly scan external internet addresses for SMB connections which means it can't yet spread to the extent of WannaCry, which used a leaked exploit from the US National Security Agency (NSA) called "EternalBlue" to circulate.
Trickbot first emerged in 2016, initially hitting banks across Asia, Australia and New Zealand but later evolving to target customers of institutions in the UK, Germany and Canada. The identity of its creator remains a mystery.
The malware lets hackers launch "redirection" attacks, which stealthily send users to a malicious website instead of the legitimate service. The fake website will typically mirror the real version in an attempt to trick the victim into entering their personal credentials.
"The Trickbot banking Trojan gang continues to have a global impact, targeting various financial instructions across the world and tirelessly proliferating sizable daily spam waves impacting various geographies," Flashpoint researchers concluded in the blog post this week.
"Now, the gang appears to be testing a new module with worm-like capabilities for lateral movement, i.e., the ability to infect other computers on the same Local Area Network (LAN) with the goal of infecting more victims and enlisting them as part of the botnet."
The team said the discovery provides an insight into what the TrickBot operators might be using in the near-future.
It elaborated: "Flashpoint assesses with moderate confidence that the Trickbot gang will likely continue to be a formidable force in the near term.
"Even though the worm module appears to be rather crude in its present state, it is evident that the Trickbot gang learned from the global ransomware worm-like outbreaks of WannaCry and 'NotPetya' and is attempting to replicate their methodology."
The fallout from the NotPetya cyberattack, which hit on 27 June this year, is still being felt by many companies that were infected. The outbreak, which hit power plants, construction firms and logistics networks, originated in Ukraine and was blamed on a malicious software update.