First there was Dyre malware, initially discovered in October 2014 and designed to steal sensitive data by successfully infecting computers. Most people conduct online banking using their personal phones, tablets, and PCs, and many others use their credit cards to make purchases online using those same devices. Further, enterprise and business computers as well as mobile devices often have sensitive financial data on them, the sort of information that’s often sold in illegal virtual markets found on the dark web. If you don’t know understand the significance of the dark web, you need to do some reading here.
Criminals can use databases full of credit card data and online banking credentials to make huge amounts of money through identity and financial fraud. For example, a criminal can use their unauthorized access to someone’s online banking to transfer their victim’s money to other bank accounts. All of this activity is at the expense of innocent people.
What is Drye?
Dyre uses fake phishing emails to target and trick users. Sometimes phishing emails are so well designed they actually look identical to the professional ones sent by large, trusted companies. They use familiar addresses like “email@example.com” or “firstname.lastname@example.org”along with official looking graphics that appear just like the ones from legitimate corporate websites.
The phishing emails that were used to distribute Dyre malware would have a subject heading like “Unpaid invoic”—yes, misspelled—and a file with a malicious PDF document attachment. The malicious PDF contained its own malware that was designed to exploit vulnerabilities in Adobe Reader. Through those vulnerabilities, the first bit of malware created a fake Windows service deceptively called “Google Update Service.” When Windows was booted or rebooted, the fake Windows service would execute the download of Dyre malware, which would then explore the web browsers on its targets’ computers for cookies and other stored data for online banking credentials and credit card information.
It is possible for many online banking websites to store usernames and passwords in the web browser, so users don’t have to manually log in every time. Also many browsers such as Google Chrome and Mozilla Firefox can store a user’s credit card numbers, including the sensitive CVV number on the back of the card, so users also don’t have to tediously type all of that in every time they want to charge something to their card. If the user stores that sort of web browser data on their home PC that only they and their family members can physically access, storing data like online banking credentials doesn’t seem dangerous. But with malware like Dyre, it makes no difference if atackers doesn’t have physical access to the target’s home PC because they can access it through the internet—unbeknownst to their victim.
From the last quarter of 2014 and through most of 2015, Dyre stole tens of millions of dollars from victims living mainly in English speaking countries like Australia, the U.S., and the U.K. In November 2015, the people who are believed to be behind the Dyre cyber attacks were arrested by Russian authorities. So that’s the last of that, right?
What is TrickBot?
Not so fast! Trickbot malware first emerged in October 2016. And when malware researchers took a look at Trickbot’s code, the similarities to Dyre were uncanny. Threat researcher Jason Reaves said, “From first glance at the loader, called TrickLoader, there are some striking similarities between it and the loader that Dyre commonly used. It isn’t until you decode out the bot, however, that the similarities become staggering.”
A loader is exactly what it sounds like—a computer program designed to load other computer programs. In this case, TrickLoader is designed to load the TrickBot malware onto its targets’ machine. Reaves continued, “It is our assessment with strong confidence that there is a clear link between Dyre and TrickBot but that there is a considerable new development that has been invested into TrickBot. With moderate confidence, we assess that one or more of the original developers of Dyre is involved with TrickBot.”
When malware researchers find very similar computer programming code in two different types of malware, they can be pretty sure some of the same cybercriminals are responsible for both. Programmers often design their code with their own unique style. Some of the code similarities extend to TrickBot’s crypter, which is a program that uses cryptography in a way that prevents antivirus software from detecting the malware. Sometimes antivirus software is updated with signatures for known crypters so that cyber attackers will have to use new crypters in order to evade antivirus detection.
TrickBot was initially observed to use a technique called “webinjects” which intercepts data before it is encrypted by a website’s TLS/SSL (the encryption that HTTPS websites use to keep your data private) to steal usernames and passwords. So it doesn’t matter if you don’t store your online banking username and password in your web browser. If your computer is infected with TrickBot, the malware will grab that sensitive information before you can send it to the bank’s website. Very sneaky, indeed.
What’s the current status of TrickBot?
Cyber attackers have made TrickBot malware even more dangerous as time goes on. As of October 2018, TrickBot has been seen exploiting vulnerabilities in Microsoft Excel spreadsheet software. This new version of TrickBot was discovered by malware researcher Xiaopeng Zhang, an observation he wrote about in a report on November 8.
This is how the new TrickBot works. A potential victim receives a phishing email with a malicious Excel document titled “Sep_report.xls.” (The cyber attackers may be using a different filename by now.) If the victim tries to open the file, Excel will say “Security Warning: Macros have been disabled” with a button that says “Enable Content.” Good and helpful Excel documents will also use macros, so when users see this similar warning, they may think the notice is nothing to be concerned about.
When the user enables the macro in the malicious Excel spreadsheet, a part of Windows that executes script code called Powershell (users usually don’t see Powershell but it’s there) will be instructed to download something from the cyber attacker’s fake website at “hxxp://excel-office.com/secure.excel.” From there, a file called “pointer.exe” is downloaded. That file is the Trickbot malware.
TrickBot will create a malicious Windows process which becomes a part of Task Scheduler, which is usually a safe and necessary part of Windows and which launches programs that the operating system needs without the user’s input. But now the normally good Task Scheduler has been tricked to do the work of the bad guys—and because TrickBot does bad things through a normal part of Windows, it can evade detection by antivirus software.
Every time Task Scheduler runs while a victim is using their Windows computer, the TrickBot malware communicates with the cyber attackers’ command and control servers through the internet. A command and control server is a computer that a cyber attacker can use in order to control the computers of their victims. Depending on the version of Windows (Windows 2000, Windows XP, Windows Vista, Windows Server 2008, Windows 7, Windows 10, or Windows Server 2016), TrickBot can steal any sensitive financial data found in Firefox, Chrome, or Internet Explorer, or “webinject” sensitive data as a user enters it into their bank’s website. An option has been found in the new TrickBot’s code to also target the Microsoft Edge web browser in the future.
Because the cyber attackers access their victim’s computers and control TrickBot’s operation through their command and control servers, they can make more changes to the malware over time so it can do many other terrible things. Malware researchers are watching it carefully to see what TrickBot will do in the future.
Ugh, what to do?
The best thing you can do to prevent becoming the next TrickBot victim is to never ever open any email attachments from people you don’t know. It doesn’t matter if the email says it’s from “bankofamerica.com” or “facebook.com,” cyber attackers can make the “from” field in an email appear any way they want. They may also try to prey on your fear by saying that they’re a big legitimate company and that you owe them money. But don’t be fooled—report any such email as spam if your email application or webmail app has the option. Otherwise, delete the email without opening it. If you really owe money to a big company, they will surely send you an old-fashioned letter as notification. And if you just can’t wait that long, call or email the company directly using the contact information on their legitimate website—and ask them what’s going on.
Phishing emails can also look like work-related email, only open email attachments from coworkers who you know—and only if the email sounds like something they may have written. If you have an doubts, compose an original email yourself and ask them if the communication is real. Then you will have the answer you need to move on without fear.