In September 2016, researchers at Fidelis Cybersecurity discovered a new malware bot dubbed TrickBot or “TrickLoader” by its authors. They found that it had a lot in common with the infamous Dyre banking Trojan. Not only was the loader similar, but the code itself was very familiar, suggesting that some of the original Dyre authors also helped to bring life to TrickBot.

The Dyre (or Dyreza) Trojan caused havoc back in 2014/15, when it used numerous spam and phishing campaigns to inflict damage worth tens of millions of dollars to Western banks and businesses in the US, the UK, and Australia. Dyre succeeded in stealing approximately US$5.5 million from budget airline, Ryanair, and up to $1.5 million from individual businesses by carrying out significant wire transfers using stolen online banking credentials. However, Dyre activity suddenly ceased in mid-November 2015. A few months later it was revealed that most of the gang members responsible for Dyre had been arrested by Russian authorities. There is the potential that one or more of the developers eluded authorities and worked together to develop the new malware.

Early testing versions of TrickBot were set up to target a digital banking platform commonly used by regional banks in the United States. By November 2016, new configurations enabled redirection attacks against four UK banks and server-side injections against numerous Australian financial organisations. Experts say the malware now targets the personal and business banking websites of financial institutions in New Zealand, Canada and Germany.

According to Limor Kessem, executive security advisor at IBM Security, “unlike its predecessor, Dyre, TrickBot has “dabbled” in malvertising, leveraging the RIG exploit kit, malicious email attachments and poisoned Office macros coming through the “Godzilla loader”. That behaviour suggests that the group behind TrickBot is after specific business accounts. They have been sending malware-laden spam to companies, not just indiscriminate waves of email.” This is another new feature which Dyre did not contain.

Experts agree that although there are quite a few similarities, TrickBot has been rewritten with a different coding style and minor changes have been made to upgrade the code rather than reinvent the wheel. Similarities include, loaders and custom encryptors, similar hashing features, and an upgraded command and control encryption tool.

TrickBot contains more C++ code, compared to Dyre, which mostly used C. The new Trojan also uses the Microsoft CryptoAPI instead of built-in functions for AES and SHA-256 hashing algorithm (a kind of unique signature for a text or data file – also used by Bitcoin). Dyre ran commands directly, whereas TrickBot links with the Task Scheduler through the COM standard for more impact.

Visit our blog next week to find out how the TrickBot Trojan makes its way into the computer systems of its victims.