TrickBot Modifications to Target U.S. Mobile Users (Aug 27, 2019)
In August 2019, researchers observed “TrickBot” malware using dynamic web injection attacks on legitimate websites for U.S.-based mobile carriers Sprint, T-Mobile, and Verizon Wireless. The malware leverages a new module that manipulates web sessions for already-infected systems. When a victim navigates to one of the sites on the infected system, the modified website requests the account PIN, which is normally not required by the legitimate site’s login procedure. TrickBot’s record functionality allows the PIN, as well as the victim’s username and password, to be transmitted to the TrickBot Command and Control (C2) server. Threat actors utilizing TrickBot can use the PIN and associated account information to take over the victim account via SIM swapping attacks, allowing the actor to assume control of the telephone number, including text and voice communications.
Recommendation: Malware authors are always innovating new methods of infecting computers and leveraging victim's personal data for monetary gain. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.