The hackers behind the TrickBot banking trojan are now targeting US banks in new attacks. Fuelled by the Necurs botnet, the malware's new campaign is also targeting financial institutions in Europe, Canada, New Zealand, Singapore and more.
Security experts said they observed Necurs was leveraged in three separate spam campaigns that distributed emails containing malicious attachments, which when clicked automatically downloaded and executed the TrickBot malware loader.
According to researchers at Flashpoint, TrickBot shares several similarities with the Dyre banking trojan, which was shut down in 2015 by Russian police. TrickBot is considered to be Dyre's successor. Flashpoint researchers suggested that the cybercriminals behind Trickbot "may have either had deep knowledge of Dyre or simply re-used old source code".
In April, security experts at IBM warned that TrickBot was going after banks in the UK. "TrickBot's operators have been investing heavily into widening the scope of their attacks and are preparing redirection attacks against banks in 19 different countries," IBM executive security adviser Limor Kessom said in a blog.
According to Kessom, since the start of Q2 2017, TrickBot's camapigns have entered "rather intensive period of updates and attacks".
"TrickBot is the first and only banking Trojan to cover this many geographies and language zones with redirection schemes, an attack type known to be more resource-intensive to produce and maintain than dynamic webinjection schemes," Kessom added.
According to IBM X-Force researchers, TrickBot is targeting banks in over 24 countries and is ranked seventh as a financial malware. Flashpoint researchers said the Necurs-powered TrickBot campaign "will likely continue to evolve and target customers of U.S. and international financial institutions".
"TrickBot now accounts for about 4% of attacks on a global scale," Kessom said.