Research

TrickBot Modifications Target U.S. Mobile Users

The long-running botnet added functionality to solicit PIN codes from mobile customers, which could allow threat actors to access victims’ voice and text communications.

TrickBot modifications target U.S. mobile users

Secureworks® Counter Threat Unit™ (CTU) researchers continually monitor the TrickBot botnet operated by the GOLD BLACKBURN threat group. A key feature of TrickBot is its ability to manipulate web sessions by intercepting network traffic before it is rendered by a victim's browser. TrickBot has targeted hundreds of organizations, mostly financial institutions, since it began widespread operation in October 2016. In August 2019, the dynamic webinjects used by TrickBot were augmented to include the following U.S.-based mobile carriers:

  • August 5: Verizon Wireless
  • August 12: T-Mobile
  • August 19: Sprint

When a victim navigates to the website of one of these organizations, the legitimate server response is intercepted by TrickBot and proxied through a command and control (C2) server. This C2 server injects additional HTML and JavaScript into the page, which is then rendered in the victim's web browser. For all three carriers, injected code causes an additional form field that requests the user’s PIN code, as shown in Figures 1 and 2.

Figure 1. TrickBot modified form (left) and original form (right) for Verizon Wireless. (Source: Secureworks)

Figure 2. Additional PIN form added to Sprint sign-in page after username and password entry. (Source: Secureworks)

The injected code shown in Figure 3 activates TrickBot’s record (rcrd) functionality. This functionality creates an additional HTTP request containing the victim’s username, password, and PIN that is transmitted to the TrickBot C2 server. These “recordings” are presented to TrickBot operators as they browse through infected hosts in their web panel.

Figure 3. Injected JavaScript in T-Mobile sign-in page. (Source: Secureworks)

The targeting of mobile PIN codes by GOLD BLACKBURN, or by affiliated threat actors using TrickBot, suggests an interest in perpetrating port-out or SIM swap fraud. This fraud allows an attacker to assume control of a victim’s telephone number, including all inbound and outbound text and voice communications. The interception of short message service (SMS)-based authentication tokens or password resets is frequently used during account takeover (ATO) fraud.

CTU™ researchers recommend that organizations use time-based one-time password (TOTP) multi-factor authentication (MFA) rather than SMS MFA when feasible. Similarly, telephone numbers should not be used as password reset options on important accounts. Enabling a PIN on mobile accounts remains a prudent anti-fraud measure that requires an attacker to possess an additional piece of information about their intended victim.

To mitigate exposure to this malware, CTU researchers recommend that organizations use available controls to review and restrict access using the indicators listed in Table 1. Note that IP addresses can be reallocated. The IP addresses may contain malicious content, so consider the risks before opening them in a browser.

Indicator TYPE Context
194.87.95.132 IP address TrickBot dynamic webinjects proxy C2 server
194.36.189.170 IP address TrickBot dynamic webinjects proxy C2 server
185.202.174.77 IP address TrickBot dynamic webinjects proxy C2 server
195.123.240.170 IP address TrickBot dynamic webinjects proxy C2 server
192.3.146.249 IP address TrickBot dynamic webinjects proxy C2 server
107.174.14.178 IP address TrickBot dynamic webinjects proxy C2 server
172.106.86.4 IP address TrickBot dynamic webinjects proxy C2 server

Table 1. Indicators for this threat.


Back to all Blogs

Additional Resources

TRY TAEGIS TODAY!

See for yourself: Request your demo to see how Taegis can reduce risk, optimize existing security investments, and fill talent gaps.