Trickbot Attacking Mobile Carriers

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

The Trickbot trojan (also known as Trickster, TheTrick, and TrickLoader), is one of the most active and widespread malware strains today. It is now being used to target US-based mobile carriers including Sprint, Verizon, and T-Mobile.

This new version of the malware includes a module that manipulates web sessions of infected systems. The malware authors then use this access to dynamically inject code that adds additional requests for credentials and the user's PIN before the page is rendered to the user. This information is then intercepted and stored by the attackers.

One of the effects of this stolen data is that it allows threat actors to carry out a subscriber identification module (SIM) swapping attack - porting a victim's phone number to a SIM card under their control. This could then be used later in a multi-stage attack to bypass a user's SMS-based two-factor authentication and gain access to a whole slew of additional information.

Although this may seem like an extreme departure from Trickbot's previous interests, namely attacking US financial institutions, it makes sense according to previous reporting by CrowdStrike and FireEye in January of this year. They noted that Trickbot is being used as Access-as-a-Service by other underground cybercriminals. The relationships built through this service model could mean that the authors can now quickly sell or share the information they collect through the use of additional modules used in campaigns.