TrickBot Variant Steals Bitcoin by Hijacking Cryptocurrency Transactions

Another day, another malware – This time TrickBot’s variant is stealing Bitcoin by hacking cryptocurrency transactions.

TrickBot malware, which emerged in late 2016, has taken the cyber world by storm. TrickBot is a type of destructive code offering a combo of redirection and web injection attacks. It does not directly attack banks or blockchains but hijacks individual transactions successfully through interfering in an on-going transaction.

Until now it was thought that TrickBot can only be used to steal funds from financial entities but according to latest findings from IBM’s researchers, the new variant of this malware can steal Bitcoin as well. According to X-Force cybersecurity firm by IBM, hackers have repurposed this malware for stealing Bitcoin.

According to the blog post, the threat actors operating TrickBot have managed to expand the attack scope of this Trojan to countries across the globe and they particularly targeted financial institutions like banks and credit card service providers. Private banking firms and businesses were also potential targets in this regard. The sole purpose of using the Trojan at mass level was to make a higher amount of profit through carrying out fraudulent transactions. However, as per latest research, TrickBot is being used for stealing cryptocurrency.

Security experts are of the opinion that TrickBot is among the top-five malware that are specially designed for stealing funds and this new version of TrickBot is used for targeting new and experienced investors alike who are buying cryptocurrencies from exchanges. The attack is successful primarily because the malware intercepts cryptocurrency login credentials, wallet information, and credit card data of the victim.

There are various cryptocurrency platforms offering a variety of services like trading coins for another type of cryptocurrency, transferring coins between wallets or purchasing Bitcoin using a credit card. TrickBot is targeting a service that allows users to buy bitcoin and Bitcoin cash through credit cards and the attacks are facilitated through the malware’s web injections that intercept the flow of a legit credit card transaction.

TrickBot Variant Steals Bitcoin by Hijacking Cryptocurrency Transactions
Original and Fake page (source: X-Force Research)

The variant tracks the transactions of users who want to purchase Bitcoin using their credit cards since in normal situation a user is required to provide his or her public bitcoin wallet address to the exchange and also the amount of cryptocurrency that is to be purchased. This information is entered on a form after which the user gets redirected to a payment gateway from the Bitcoin exchange platform. This gateway is located on another domain operated by a payment service provider.

Once there, the user then fills in the required personal data including billing details and credit card related information and lastly, the user confirms the Bitcoin purchase. This is the exact point when TrickBot comes into action and “hijacks the coins,” as stated by IBM in its blog.

“This particular attack targets both the Bitcoin exchange website and that of the payment service to grab the coins and route them to an attacker-controlled wallet,” wrote IBM’s X-Force researchers in their blog post.

Moreover, the Trojan targets the transactions from all angles; such as it gets the login credentials of the user’s cryptocurrency exchange account as well as credit card information and wallet data due to which attackers are able to target the victim from different fronts.

“This means that even after the initial attack, cybercriminals can empty existing cryptocurrency wallets, make additional exchange purchases as the victim, and use the credit card information for whatever else they desire,” stated a spokesperson from IBM’s X-Force.

Researchers did not reveal the name of the one exchange that is particularly being targeted in this campaign but we do know that previously Coinbase Inc. was effectively targeted by a cyber-gang using an earlier variant of TrickBot variant in August, which was also capable of credit card-stealing.

Researchers have concluded that through the emergence of the new TrickBot variant, we can realize the extent of sophistication attackers have achieved in targeting websites and exchanges as their web logic and security controls have improved tremendously.

“It highlights what we already know about this malware gang: it is a group that continues to study new targets and expands its reach,” noted researchers.

The bad news is that they also believe that there’s more to come: “As the theft of cryptocurrency becomes increasingly popular among financial malware operators, we expect to see a many more campaigns targeting the various platforms and service providers in the cryptocurrency sector.”

The “good” news, according to IBM, is these attacks are labor and data intensive — and required cybercrime gangs to do a bit of work understanding their targets to maximize the effectiveness of their attack.

The bad news — other than the obvious, according to IBM — is that more attacks are certainly on the way.

“As the theft of cryptocurrency becomes increasingly popular among financial malware operators, we expect to see many more campaigns targeting platforms and service providers in the cryptocurrency sector,” IBM notes in its blog post.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.