UPDATED 06:00 EST / FEBRUARY 15 2018

INFRA

New TrickBot banking trojan variant is targeting cryptocurrency exchanges

Prolific banking trojan TrickBot has taken on a new challenge, with a new variant detected now targeting cryptocurrency exchanges.

The new version, detected by IBM Corp.’s X-Force security research team, follows the path of previous variants in using web injections to steal the target asset. But where previously the target asset was only credit card transactions, the new variant also targets bitcoin at the point it’s purchased.

“In the normal payment scenario, the user looking to buy coins provides their public Bitcoin wallet address and the amount of bitcoin to purchase,” the researchers explained in a blog post today. “When submitting this initial web-form, the user is redirected from the bitcoin exchange platform to a payment gateway on another domain, which is operated by a payment service provider. There, the user fills in their personal information as well as credit card and billing details and confirms the purchase of coins.”

It’s at this point TrickBot hijacks the coins, attacking notably both the exchange site and the payment service to do so.

If that’s not bad enough, the new TrickBot variant targets both sides of the transaction: It obtains the victim’s cryptocurrency exchange login credentials, wallet information and credit card information, allowing the attackers to continue to target the victim on multiple fronts.

“This means that even after the initial attack, cybercriminals can empty existing cryptocurrency wallets, make additional exchange purchases as the victim, and use the credit card information for whatever else they desire,” a spokesperson for IBM X-Force told SiliconANGLE.

Interestingly, the attack appears to be focused on one particular exchange, unnamed by the researchers but said to allow for the purchase of bitcoin and Bitcoin Cash by credit card. Coinbase Inc. was previously targeted by the same gang using an earlier credit card-stealing TrickBot variant in August.

In conclusion, the researchers noted that the new TrickBot variant demonstrates the sophistication of the gang behind it. “The scheme required extensive research of the targeted sites, their web logic and the security controls they use,” they said. “It highlights what we already know about this malware gang: it is a group that continues to study new targets and expand its reach.”

The bad news is that they also believe that there’s more to come: “As the theft of cryptocurrency becomes increasingly popular among financial malware operators, we expect to see a many more campaigns targeting the various platforms and service providers in the cryptocurrency sector.”

Image: IBM X-Force

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.