Researchers at Secureworks® Counter Threat Unit™ (CTU) continuously monitor the TrickBot network, which is managed by the GOLD BLACKBURN Threat Group. One of the most important features of TrickBot is its ability to manipulate web sessions by intercepting network traffic before it is displayed by the victim’s browser. Since its launch in October 2016, TrickBot has been used by hundreds of organizations, mainly financial institutions. In August 2019, the dynamic web projects used by TrickBot were completed by the following American mobile operators:
- 5. August: Verizon Wireless
- 12. August: T-Mobile
- 19. August: Sprint
Figure 1. TrickBot has adapted the shape (left) and the original shape (right) for Verizon Wireless (Source: Secureworks).
Figure 2. An additional PIN form has been added to the sprint login page after entering a username and password. (Source: Secureworks)
The code in figure 3 activates the writing functionality of TrickBot (rcrd). This function generates an additional HTTP request with the victim’s username, password and PIN, which is sent to the C2 TrickBot server. These records are presented to TrickBot operators when they view infected hosts on their web pages.
If GOLD BLACKBURN or its partners focus on the PIN codes of mobile phones via the TrickBot, this means that they are interested in committing fraud with port exit cards or SIM cards. This scam enables the offender to check the victim’s phone number, including all incoming and outgoing text and voice messages. Interception of authentication tokens based on short message services (SMS) or password resets is often used in cases of account acceptance fraud (ATO).
CTU™, researchers recommend that organizations use a one-time password (TOTP) instead of an SMS MFA for multi-factor authentication (MFA) where possible. Also, phone numbers should not be used as password reset options for large accounts. The inclusion of a PIN code in mobile phone bills remains a sensible anti-fraud measure, as the abuser needs to have additional information about the alleged victim.
To reduce the impact of this malware, CTU researchers advise organizations to use the available controls to verify and restrict access based on the indicators listed in Table 1. Please note that IP addresses can be redistributed. IP addresses may contain harmful content. Therefore, consider the risks before opening them in your browser.
|220.127.116.11||IP address||TrickBot’s C2 proxy server is a dynamic Web injector.|
|18.104.22.168||IP address||TrickBot’s C2 proxy server is a dynamic Web injector.|
|22.214.171.124||IP address||TrickBot’s C2 proxy server is a dynamic Web injector.|
|126.96.36.199||IP address||TrickBot’s C2 proxy server is a dynamic Web injector.|
|188.8.131.52||IP address||TrickBot’s C2 proxy server is a dynamic Web injector.|
|184.108.40.206||IP address||TrickBot’s C2 proxy server is a dynamic Web injector.|
|220.127.116.11||IP address||TrickBot’s C2 proxy server is a dynamic Web injector.|
Table 1. Indicators of this threat.