TrickBot Malware Now Aimed At Exchanges To Steal Bitcoin

Heavy is the wallet that carries the bitcoin, as the explosive growth in the price of crypto-currency in the last several months has made lifting the world’s best known form of crypto-currency extremely attractive for cybercriminals.

And, as of this week, IBM’s X-Force cybersecurity unit has discovered that hackers have, in fact, managed to repurpose the TrickBot malware for the express purpose of stealing bitcoin.

TrickBot, according to the experts, is one of the top five pieces of malware designed to steal funds — but up until now, it has been leveraged mostly for attacking banks and credit card companies.  X-Force researches determined that cyber thieves have created a new build for TrickBot so it can be used to target amateur and professional investors who are purchasing cryptocurrencies from exchanges.

According to IBM, the TrickBot variation currently causing problems has been designed to specifically go after the transactions of users trying to purchase bitcoins with credit cards.

“In the normal payment scenario, a user looking to buy coins provides his or her public bitcoin wallet address and specifies the amount of bitcoin to purchase. When submitting this initial form, the user is redirected from the bitcoin exchange platform to a payment gateway on another domain, which is operated by a payment service provider. There, the user fills in his or her personal information, as well as credit card and billing details, and confirms the purchase of coins,” IBM explains on their blog. “This is where TrickBot hijacks the coins. This particular attack targets both the bitcoin exchange website and that of the payment service to grab the coins and route them to an attacker-controlled wallet.”

The attack works, according to IBM, because the malware works to intercept a victim’s cryptocurrency exchange login credentials, wallet information and credit card data. TrickBot is a from of destructive code beloved by hackers because it offers a combination of redirection attacks and web injection attacks. Instead of attacking banks or blockchains directly, TrickBot hijacks individual web transactions.

The “good” news, according to IBM, is these attacks are labor and data intensive — and required cybercrime gangs to do a bit of work understanding their targets to maximize the effectiveness of their attack.

The bad news — other than the obvious, according to IBM — is that more attacks are certainly on the way.

“As the theft of cryptocurrency becomes increasingly popular among financial malware operators, we expect to see many more campaigns targeting platforms and service providers in the cryptocurrency sector,” IBM notes in its blog post.