Experts suggest that the expansion of opportunities was the result of cooperation of the authors of the program with developers of another banker – IcedID.
Security expert Brad Duncan discovered previously unknown module while analyzing the payload delivered by Ursnif malware.
The specialist found that the updated version of Trickbot injects the shadnewDll dynamic library into the infected system, which is responsible for changing the web traffic. The malicious component has its own configuration file and is intended for MITB attacks. The module works with Internet browsers Chrome, Firefox, Internet Explorer and Edge.
“The infection chain starts with a malicious Office Word document, which deploys a PowerShell script to download the Ursnif trojan. The host compromised in this way also receives the Trickbot variant with the BokBot/IcedID proxy module that can intercept and modify web traffic”, — said Brad Duncan.
Study of the new module’s code of the revealed numerous coincidences with the source code of BokBot banking Trojan, also known as IcedID. The specialists found out that the malware performs the functions of a local proxy server and is capable of inserting its own scripts into the traffic transmitted to the machine. Thus, attackers are able to display on the screen of the victim fake forms for entering financial details or credentials.
Last year it became known that the operators IcedID and Trickbot began to conduct joint attacks, delivering two malicious programs to the target device at once. Security specialists have concluded that such cooperation is designed to increase the effectiveness of cyber campaigns using the strengths of each program.
Integration of developments at the level of malicious components may indicate a new stage of such cooperation.
However, experts from FireEye, believe that the cooperation of cybercriminals is not limited to this.
“The TrickBot administrator group, which is suspected to be based in Eastern Europe, most likely provide the malware to a limited number of cyber criminal actors to use in operations,” – stated FireEye’s research.
As GanbCrab’s recent experience has shown, such models of combining bad guys in cyberspace can be really dangerous and effective.
About News-bhexusa.xyz News-bhexusa.xyz pop-ups can not open out of nowhere. If you have clicked on…
About News-bhupotu.xyz News-bhupotu.xyz pop-ups can not launch out of the blue. If you have clicked…
About News-bhocime.info News-bhocime.info pop-ups can not open out of the blue. If you have actually…
About You-hub.online You-hub.online pop-ups can not launch out of nowhere. If you have clicked on…
About News-bhecudu.live News-bhecudu.live pop-ups can not introduce out of the blue. If you have clicked…
About News-bhiciwe.today News-bhiciwe.today pop-ups can not introduce out of the blue. If you have clicked…