Trickbot Trojan Gets ‘BokBot’ Proxy Module to Steal Banking Info
In 2017, IBM’s X-Force team discovered a banking trojan named as ‘BokBot’, which redirects users to malicious online banking websites or can link victims to a browser procedure in order to insert unauthorized content onto official bank pages, it’s also known as IcedID.
The authors of Trickbot trojan have begun to distribute a custom proxy module to the users; Trickbot trojan is a new component originated from BokBot’s code for web injection, it works with some of the widely used web browsers.
The new variant came with its separate configuration file, it was detected on an infected system on 5th of July as “shadnewDll”.
How does the malware work?
The malicious process begins with an infected Office Word document that downloads the Ursnif trojan after deploying a PowerShell script. Then, a Trickbot version along with the IcedID proxy module is received by the compromised host, it is programmed to intercept and modify web traffic.
After examining the component, Vitali Kremez, security researcher, said that it can be attached to the following web browsers: Microsoft Edge, Mozilla Firefox, Internet Explorer and Google Chrome.
Upon further inspection, the module appeared to be particularly adapted for TrickBot or other fraud bank operations which is based on the installion of this malware and its variants.
Referencing from the research of FireEye, “The TrickBot administrator group, which is suspected to be based in Eastern Europe, most likely provide the malware to a limited number of cyber criminal actors to use in operations.”