Trickbot, a well-known banking trojan, has new functionality that brings its attack on Bitcoin exchange accounts up to par with its well-honed browser attacks on online banking sessions.
Trickbot’s move to Bitcoin was first noticed in mid-2017 when researchers at Forcepoint discovered a wave of bank-themed spam that downloaded a variant of Trickbot with a web-injection module for intercepting an online banking transaction from within the browser.
But besides the usual list of banking targets, for the first time Trickbot had a web-inject for visitors to Coinbase, a popular exchange for buying and selling Bitcoin and other cryptocurrencies.
IBM’s X-Force researchers have now revealed some of the inner workings of this online hustle aimed at users of an unnamed cryptocurrency exchange. The only clue IBM offers is that this exchange specifically supports purchasing Bitcoin and Bitcoin cash with a credit card, whereas some changes only provide coin to coin transactions.
The web inject modules, known as man-in-the-browser attacks, seek to position the attacker between the browser and the cryptocurrency exchange by replacing elements of the legitimate website with the attacker’s files. Trickbot executes its attack on the exchange itself and when the user moves to a payment service provider’s domain.
“In the normal payment scenario, a user looking to buy coins provides his or her public bitcoin wallet address and specifies the amount of bitcoin to purchase. When submitting this initial form, the user is redirected from the bitcoin exchange platform to a payment gateway on another domain, which is operated by a payment service provider,” explain IBM’s X-Force researchers.
“There, the user fills in his or her personal information, as well as credit card and billing details, and confirms the purchase of coins. This is where TrickBot hijacks the coins. This particular attack targets both the bitcoin exchange website and that of the payment service to grab the coins and route them to an attacker-controlled wallet.”
So, the victim who types their Bitcoin wallet address and the coins they wish to purchase on the legitimate exchange is actually supplying those details to the attacker who can then decide whether the transaction is worth targeting for fraud. It also collects the victim’s data from the payment processor’s page.
The second part of the attack targets the address of the bitcoin wallet where the purchased Bitcoin is intended to be delivered. The victim thinks they’ve paid their counterpart in the trade, but the units goes to the attack’s wallet. After that the malware leads to the victim to supply a phone number, email address, a selfie with the credit card they want to use, and a photo of the victim’s national ID card.
Prior to Trickbot's operators casting a net over cryptocurrencies, the group had over the past three years been building up tailored deceptions for different markets, starting with Australia, the US, and UK, and later expanding to other parts of Europe, including the Nordics.