Security researchers at Forcepoint have detected banking trojan Trickbot targeting crypto-currencies. The attack begins with an email from the Canadian Imperial Bank of Commerce (CIBC). The email tells the user that they have a personal/confidential message. The message comes as a Microsoft Word attachment.
Interestingly the user is told they must be connected to the Internet in order to view the secure email.
The email contains several links that appear to point back to CIBC.com, which is the correct domain for the bank. However, the email address from which the email is sent uses the .ml top level domain extension. This is the extension for Mali. While it is not necessarily reasonable to expect all users to know this, the fact that it doesn’t come from the same domain as owned by the bank should be an alert.
This is also something that should be picked up by any security software used by the email system. At the very least it should result in the email being tagged as spam. The attachment should also be quarantined as suspicious.
Forcepoint has detected over 8,600 emails targeted primarily at the UK, Canada and France. The researchers say, however, that the majority of the recipients work at .com domains. That means that the attackers are after users in organisations that are not using local TLDs such as .co.uk, .fr and .ca.
How is Trickbot installed?
The document attached to the email contains a macro downloader. This is why the user is told be only open it when online. The downloader connects to the command and control (C&C) server and brings down the Trickbot malware.
Once installed, Trickbot downloads a set of modules that it uses to carry out attacks. If this version of the malware is built on the code detected in July by Malwarebytes, it also contains a worm. That code allows the trojan to seek other systems.
In the version detected by Forcepoint the configuration files are identical to all the previous versions with one exception. That is the addition of Coinbase as a target. Coinbase is a cryptocurrency exchange allowing users to trade bitcoin, ethereum and litecoin. It appears that the attackers are looking to access users crypto wallets and steal their currencies.
What does this mean?
This is just one of several attacks against cryptocurrencies that has been seen in recent weeks. The continued high value of cryptocurrencies makes it profitable for cybercriminals to start targeting. They will also be hoping that the pseudo anonymity of the currencies will provide them with the ability to steal and spend quickly.
However, if users track their currency IDs carefully, they should be able to do some tracking over where the cryptocurrencies are being moved. This is a technique that has been used to track bitcoins paid as a result of recent ransomware attack.
Many of the recipients of the email will not have had dealings with CIBC. As a result, there is no reason for them to open the email. This is a very simple step that can often defeat a lot of attacks.