Discovered in 2016, Trickbot’s main functionality was online banking data theft. Over its five years of activity, Trickbot banking Trojan has changed as attackers came up with a more advanced toolset.
Kaspersky researchers have traced Trickbot’s evolution by analysing its 61 existing modules and defined how Trickbot has been updated.
Trickbot is a descendant of the Dyre banking Trojan, which originated as a Trojan stealing banking data and account credentials. Today Trickbot has evolved and became a multi-modular malware ranging its activity from data theft to other malware distribution (such as Ryuk ransomware).
Overall, Kaspersky researchers have analysed 61 modules of Trickbot and discovered Trojan has acquired dozens of auxiliary modules that steal credentials and sensitive information. The malware spreads over local networks using stolen credentials and vulnerabilities, provides remote access, proxy network traffic, performs brute-force attacks and downloads other malware.
Trickbot targets companies and individual users around the world. According to Kaspersky, Trickbot’s activity is not geographically limited and most of the affected users were located in the US (13,21%), Australia (10,25%) and China (9,77%), followed by Mexico (6,61%) and France (6,3%).
“Cybercriminals always update and refresh their toolsets. Right now, Trickbot has developed and became one of the most powerful and dangerous samples of its malware type. As cybercriminals evolve, so should protection techniques. Most of the attacks can be prevented, that is why it is important to have an up-to-date security solution,” comments Oleg Kupreev, security expert at Kaspersky.