TrickBot’s Bigger Bag of Tricks


TrickBot’s Bigger Bag of Tricks (Nov 21, 2018)

The popular banking trojan, Trickbot, has been observed to have added more features that steal users’ credentials, specifically targeting Point-of-Sales (PoS) services, according to researchers at Trend Micro. The new module added to the malware, “psfin32,” is modified to specifically identify PoS related terms in the domain and accounts. Once Trickbot has obtained the information it was looking for, it will extract it and store it to a pre-configured “Log” file to then send to the Command and Control (C2) server via a POST connection. It is highly likely that the threat actors leveraging this malware are intending to use it during the holiday seasons to increase the range of machines it can infect to obtain banking and payment information.

Recommendation: Customer-facing companies that store credit card data must actively defend against Point-of-Sale (PoS) threats and stay on top of industry compliance requirements and regulations. All PoS networks should be aggressively monitored for these type of threats. In the case of infection, the affected networks should be repopulated. Furthermore, customers should be notified as soon as possible, and potentially offered fraud protection to avoid negative media coverage and reputation.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.