Friday, April 4, 2025
HomeTorjan Horses/wormsBanking Trojan "Trickbot" Powered by Necurs Targeting Financial Institutions

Banking Trojan “Trickbot” Powered by Necurs Targeting Financial Institutions

Published on

SIEM as a Service

Follow Us on Google News

Security experts from Flashpoint observed spam campaigns targeting US financial sectors Trickbot banking Trojan targeting financial sector.

Trickbot which is capable of launching MitB attacks originated in the middle of 2016 and it targets financial institutions outside of US.

From July 17, 2017, Flashpoint observed Trickbot campaign, known as “mac1,” targeting users of various financial institutions in U.S., U.K., New Zealand, France, Australia, Norway, Swedish, Iceland, Finland, Canada, Italy, Spain, Switzerland, Luxembourg, Belgium, Singapore, and Denmark.

Also Read  A Sophisticated Backdoor Called “Stantinko” Infected More Than 500,000 Computers

Banking Trojan "Trickbot" Necurs Targeting US Financial Institutions

There should be at least three different spam waves the initial was with HTML file disguising as a bill from Australian Telecommunication company and other subsequent campaigns are through macro documents as an attachment.

These malicious emails contained a Zip-archived Windows Script File (WSF) attachment consisting of obfuscated JavaScript code. Upon being clicked, the files download and execute the Trickbot loader.

Also Read   Dangerous Android Banking Trojan Control Mobile Devices and Steals Confidential Bank Customers Information

Execution Flow

Once it infected the machine to trick the user it launches “CREATE_SUSPENDED” flag to kill the process used in launching the Trojan. Next, it creates %APPDATA% and copies it’s also then it adds it Authroot certificate in Temp directory.

Trickbot does contain importDll32, mailsearcher32, systeminfo32, injectDll32, and outlookDl32 modules.A detailed analysis report published by Flashpoint.

Flashpoint considers trickbot is Dyre’s successor or the Author used the old source code with updated functions.

Trickbot powered by the famous spambot Necurs, so it continues to emerge and it targets huge customer base it will be very crucial for organizations. Users should stay more vigilant.

Common Defence’s to stay safe

  • Don’t open the attachments that you are not expecting.
  • Patch or Update your software.
  • Use a reputable security suite.
  • Download applications from Reputed sites.
  • Stay strict with CIA Cycle.
Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing...

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of...

PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack

A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM)...

Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials

A surge in phishing text messages claiming unpaid tolls has been linked to a...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

MnuBot – New Banking Trojan Take Browsers Screenshots, Keylogging to Steal Bank Data

Newly discovered banking Trojan named MnuBot malware spreading to steal the sensitive bank related...

New Banking Trojan IcedID Evade Sandboxes and Performing Web Injection Attacks

A New Banking Trojan dubbed IcedID discovered that capable of performing some dangerous web-based...

Silence Trojan Targeting Financial Institutions Recording day to day activity on Bank Employees’ PCs

Security experts from Kaspersky lab discovered a new trojan dubbed Silence trojan that targeting Financial...