Connect with us

Hi, what are you looking for?

Botnet TrickBot Modifications U.S. Mobile Users Target

Hosting

Botnet TrickBot Modifications U.S. Mobile Users Target

Researchers at Secureworks® Counter Threat Unit™ (CTU) continuously monitor the TrickBot network, which is managed by the GOLD BLACKBURN Threat Group. One of the most important features of TrickBot is its ability to manipulate web sessions by intercepting network traffic before it is displayed by the victim’s browser. Since its launch in October 2016, TrickBot has been used by hundreds of organizations, mainly financial institutions. In August 2019, the dynamic web projects used by TrickBot were completed by the following American mobile operators:

  • 5. August: Verizon Wireless
  • 12. August: T-Mobile
  • 19. August: Sprint

If the victim goes to one of these organizations, the legitimate server response is intercepted by the TrickBot and passed on by the command and control (C2) server. This C2 server enters additional HTML and JavaScript into the page, which is then displayed in the victim’s web browser. For all three media, the input code calls up an additional input field that asks for the user’s PIN code, as shown in Figures 1 and 2.

Botnet TrickBot Modifications U.S. Mobile Users Target

Figure 1. TrickBot has adapted the shape (left) and the original shape (right) for Verizon Wireless (Source: Secureworks).

Botnet TrickBot Modifications U.S. Mobile Users Target

Figure 2. An additional PIN form has been added to the sprint login page after entering a username and password. (Source: Secureworks)

The code in figure 3 activates the writing functionality of TrickBot (rcrd). This function generates an additional HTTP request with the victim’s username, password and PIN, which is sent to the C2 TrickBot server. These records are presented to TrickBot operators when they view infected hosts on their web pages.

Botnet TrickBot Modifications U.S. Mobile Users Target

Figure 3. JavaScript is required on the T-Mobile login page. (Source: Secureworks)

If GOLD BLACKBURN or its partners focus on the PIN codes of mobile phones via the TrickBot, this means that they are interested in committing fraud with port exit cards or SIM cards. This scam enables the offender to check the victim’s phone number, including all incoming and outgoing text and voice messages. Interception of authentication tokens based on short message services (SMS) or password resets is often used in cases of account acceptance fraud (ATO).

CTU™, researchers recommend that organizations use a one-time password (TOTP) instead of an SMS MFA for multi-factor authentication (MFA) where possible. Also, phone numbers should not be used as password reset options for large accounts. The inclusion of a PIN code in mobile phone bills remains a sensible anti-fraud measure, as the abuser needs to have additional information about the alleged victim.

To reduce the impact of this malware, CTU researchers advise organizations to use the available controls to verify and restrict access based on the indicators listed in Table 1. Please note that IP addresses can be redistributed. IP addresses may contain harmful content. Therefore, consider the risks before opening them in your browser.

Indicator TYPE Background
194.87.95.132 IP address TrickBot’s C2 proxy server is a dynamic Web injector.
194.36.189.170 IP address TrickBot’s C2 proxy server is a dynamic Web injector.
185.202.174.77 IP address TrickBot’s C2 proxy server is a dynamic Web injector.
195.123.240.170 IP address TrickBot’s C2 proxy server is a dynamic Web injector.
192.3.146.249 IP address TrickBot’s C2 proxy server is a dynamic Web injector.
107.174.14.178 IP address TrickBot’s C2 proxy server is a dynamic Web injector.
172.106.86.4 IP address TrickBot’s C2 proxy server is a dynamic Web injector.

Table 1. Indicators of this threat.

 

You May Also Like

Hosting

Malware maker urges judge to dump lawsuit over WhatsApp phone snooping Hey boss, this is what people imagine when they think of California –...

Hosting

We’re at the end of the house! The best host company that has been active in this field for the past 6 years. Because...

Hosting

Youtube-dl is my favorite and preferred command line download manager. I often use it to download audios, videos and movies from Internet. Today, I...

Hosting

Servers can be unpredictable, hence your sites! The website may break down for reasons such as incorrect file processing, authorization problems, website updates, etc....