TrickBot is alive and kicking. The trojan, which was believed to be wiped out, has started to spread its tentacles with its new creations. The operators of the trojan, Wizard Spider, are quickly adopting new tools and techniques to carry out further attacks.
TrickBot adds Zeus flavor to its module
Kryptos Logic Threat Intelligence researchers have revealed a new report about a new TrickBot model that bears precise resemblance to the Zeus pattern.
This new improved feature, injectDll, added to the banking module of the trojan will help the attackers to get back into the bank fraud game.
Moreover, the addition of the Man-in-the-Browser (MitB) capabilities can be used to steal online banking credentials.
The updated module is being pushed to users visiting malicious URLs.
TrickBot’s connection with ransomware
Besides the new TrickBot version, the Wizard Spider threat actor group has been linked with a new ransomware strain named Diavol.
Although the source of intrusion is unknown, the ransomware was deployed in the wild in one attack campaign.
As part of a unique encryption procedure, Diavol used user-mode Asynchronous Procedure Calls (APCs) without a symmetric encryption algorithm.
Another aspect of the ransomware that stands out is its reliance on an anti-analysis technique to obfuscate its code in the form of bitmap images.
What can be infered from this?
Despite efforts by law enforcement to neutralize the trojan’s network, the ever-evolving malware has proved to be a resilient threat. The resumption of malicious activities indicates that the Wizard Spider gang intends to maximize its attacks on machines. Furthermore, the addition of Zeus-style webinjects suggests that TrickBot is reviving its bank-fraud operation, which appears to have been shelved for over a year.