TrickBot Upgrades for SIM Swapping Attacks

To say that TrickBot trojan has become more than a constant pain for those defending networks would be an understatement. Added to the constant stream of updates and upgrades the malware authors also rent out their creation to other cybercriminal organizations. This tactic has resulted in the malware authors developing partnerships with some of the more prominent cybercriminal organizations presenting a greater threat to security researchers. Now TrickBot includes features which enable hackers to carry out SIM Swapping attacks.

SIM Swapping is an increasingly popular attack vector. The scam involves the hacker exploiting mobile service providers been able to seamlessly port an old number to a new SIM card. The hacker begins by getting their hands on personal information of the victim. This may be done with a phishing email but other methods have been used previously. The hacker will then contact the victim’s service provider and pretend to be the victim to get the number ported to the SIM they have in their possession. In a lot of cases, the hacker can now bypass SMS multi-factor authentication methods and reset passwords for a victim's bank accounts, email accounts, or cryptocurrency exchange portals. In the US over the past two years, such scams have spiked in popularity with the potential for victims to lose hundreds of thousands of dollars.

Now the malware authors of TrickBot have decided to join the party. According to a recent article published by security firm Secureworks, those behind TrickBot have included methods of stealing the login credentials of some of the US’s popular mobile service providers. The malware authors have included means to steal credentials, including PIN codes, from Sprint, T-Mobile, and Verizon Wireless. How exactly the developers are able to do this involves the creation of creating fake login pages for those companies that look incredibly similar to the authentic login pages used. Information logged by the client of the page is then stored and sent to the attacker. What is worrying that any of TrickBot’s customers will receive this update and can also, in turn, begin SIM Swapping campaigns. Further, any computer infected already with TrickBot will receive the update as well as opening up more potential for a victim to lose out financially.

trickbot trojan upgrades for sim swapping attacks

According to the researchers working for Secureworks, the TrickBot trojan uses the tried and tested method of web injects to intercept legitimate traffic. The technique involves injecting malicious content such as the fake login pages. Further, it would seem that those behind TrickBot have been intercepting Verizon traffic since August 5. For those with the provider, the slight difference between the fake and authentic login page is hard to see. The key difference was the fake page included a section to capture the PIN code which is not included in the original page. Wanting the PIN code for the SIM is vital to a successful SIM swap attack.

For customers of Sprint and T-Mobile, the process to steal traffic was slightly different and traffic began been incepted on August 12 and August 19 respectively. Rather than the addition of PIN code section on the initial page, the PIN would be asked for on a separate page following a successful login. IF this has occurred to you then your computer or device has been infected with TrickBot. The good news is that if you have an anti-virus package it will be able to detect the malware and deal with it appropriately. If you don’t have such a package installed it is perhaps time to get one. Further, if you suspect that you may have been infected with TrickBot it is advised that you immediately change passwords and PIN codes for your mobile device as well as online banking portals.

This warning may seem like fear-mongering but those behind TrickBot as those who actively rent the malware have proven to be unscrupulous. Not only could log in credentials be stolen, SIMs swapped, and bank accounts accessed other malware strains could be installed on the victim’s computer. In the past TrickBot infections have been a precursor to a ransomware infection in an attempt to further extort funds from the victim. A quick search will reveal numerous horror stories regarding SIM swap attacks. In one case the victim lost 25,000 USD when the hacker purchased Bitcoin to that amount after successfully carrying out a SIM Swap.

SIM swap attacks can happen in one of three ways according to Caleb Tuttle, a detective with the Santa Clara County District Attorney's office, who stated in an interview,

“The first is when the attacker bribes or blackmails a mobile store employee into assisting in the crime. The second involves current and/or former mobile store employees who knowingly abuse their access to customer data and the mobile company's network. Finally, crooked store employees may trick unwitting associates at other stores into swapping a target's existing SIM card with a new one.”

That may have been the case when these attacks emerged but now hackers can employ malware to steal important information and credentials during campaigns. In the past, those using the methods listed by the detective could be traced, tracked, and eventually arrested. The situation with hackers conducting SIM swap attacks is that the benefit from the relative anonymity given by operating online and been able to operate across the globe, bringing those to justice, while not impossible, is far more difficult. Users are advised to make sure they have a reputable anti-virus package installed on their computers and various mobile devices.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal