Bank vault
Image from Shutterstock.com

Three Canadian banks have been added to the target list of the TrickBot trojan’s redirection targets, according to IBM’s X-Force threat researchers.

“The gang continues to focus on the U.K. and Australia,” they reported in a blog Wednesday, “but it’s now setting its sights on Canada with enhanced capabilities to attack banks in the country.”

The malware, first detected over the summer and then in distributed in a major way early this month, added Canadian targets Nov. 14. Early versions included code similar to the Dyre banking Trojan, leading to speculation developers of TrickBot either had a lot of familiarity with it or were just copycats.

IBM notes that redirection attacks first targeted Canadian banks in 2015, when the Dyre malware launched its Web browser manipulation techniques. The targets were business accounts of a handful of banks. After Russian police arrested many of Dyre’s operators the Dridex Trojan started using redirections against businesses in Canada. Next, GozNym created redirection attacks designed to target business banking here. TrickBot is the fourth campaign, say researchers.

Financial Malware Families 2016

(Most active malware in Canada by attack volume, November, 2016. Source: IBM)

That count is different from one in a June report from ProofPoint, which said the company has seen six different banking Trojan families, including Ursnif, Dridex, Kronos, Zeus, Gootkit, and Vawtrak, all targeting customers of financial institutions in Canada and other countries since May.

Campaigns vary, with some purporting to be email messages to consumers from a specific bank, while others are messages within email that generate fake Microsoft security alerts or Canada Post or UPS delivery notices to trick recipients to download a file that is actually malware which find banking credentials.

All are likely run by criminal gangs, the report adds, because only malware operators with the extra resources to build and carry out redirection attacks can do it. To make stolen funds disappear, says the report gangs keep elaborate crews on their payroll, maintaining a large number of foot soldiers to funnel stolen money from one account to another and either act as money mules to cash the funds out.

To put this in perspective, IBM researchers say in October  two alleged Dridex gang members  were convicted in Britain after being caught  with access to more than 220 compromised U.K. bank accounts and £2.5 million. In November, authorities arrested 14 ex-Dyre and ex-Dridex members who laundered over US$13 million in the past two years.

Infosec pros who want to know more about TrickBot’s indicators of compromise can check out this posting on IBM’s X-Force Exchange.

At the beginning of this year Trend Micro reported that the biggest brands here targeted by attackers were our banks.