TrickBot banking Trojan adds Canada to its target list: IBM

Three Canadian banks have been added to the target list of the TrickBot trojan’s redirection targets, according to IBM’s X-Force threat researchers.

“The gang continues to focus on the U.K. and Australia,” they reported in a blog Wednesday, “but it’s now setting its sights on Canada with enhanced capabilities to attack banks in the country.”

The malware, first detected over the summer and then in distributed in a major way early this month, added Canadian targets Nov. 14. Early versions included code similar to the Dyre banking Trojan, leading to speculation developers of TrickBot either had a lot of familiarity with it or were just copycats.

IBM notes that redirection attacks first targeted Canadian banks in 2015, when the Dyre malware launched its Web browser manipulation techniques. The targets were business accounts of a handful of banks. After Russian police arrested many of Dyre’s operators the Dridex Trojan started using redirections against businesses in Canada. Next, GozNym created redirection attacks designed to target business banking here. TrickBot is the fourth campaign, say researchers.

Financial Malware Families 2016

(Most active malware in Canada by attack volume, November, 2016. Source: IBM)

That count is different from one in a June report from ProofPoint, which said the company has seen six different banking Trojan families, including Ursnif, Dridex, Kronos, Zeus, Gootkit, and Vawtrak, all targeting customers of financial institutions in Canada and other countries since May.

Campaigns vary, with some purporting to be email messages to consumers from a specific bank, while others are messages within email that generate fake Microsoft security alerts or Canada Post or UPS delivery notices to trick recipients to download a file that is actually malware which find banking credentials.

All are likely run by criminal gangs, the report adds, because only malware operators with the extra resources to build and carry out redirection attacks can do it. To make stolen funds disappear, says the report gangs keep elaborate crews on their payroll, maintaining a large number of foot soldiers to funnel stolen money from one account to another and either act as money mules to cash the funds out.

To put this in perspective, IBM researchers say in October  two alleged Dridex gang members  were convicted in Britain after being caught  with access to more than 220 compromised U.K. bank accounts and £2.5 million. In November, authorities arrested 14 ex-Dyre and ex-Dridex members who laundered over US$13 million in the past two years.

Infosec pros who want to know more about TrickBot’s indicators of compromise can check out this posting on IBM’s X-Force Exchange.

At the beginning of this year Trend Micro reported that the biggest brands here targeted by attackers were our banks.


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now