August 29, 2017

Trickbot goes after cryptocurrency

Roland Dela Paz Security Researcher

Forcepoint Security Labs have encountered an ongoing Trickbot campaign that appears to target crypto-currencies. Trickbot is a banking Trojan that is traditionally known to target financial institutions. Recently, we have observed Trickbot targeting Paypal and expanding its list of target institutions to include those from Nordic countries.

Today’s campaign uses Canadian Imperial Bank of Commerce (CIBC) as a social engineering lure. Below is a screenshot of the email:

The attached document is disguised as a CIBC document. It contains a macro downloader that ultimately downloads and executes a Trickbot variant.

At the time of writing over 8600 related emails have been captured by our systems with the UK, Canada, and France as the top three targets, although the majority of recipients have the “.com” top-level domain (TLD).

The downloaded Trickbot variant has the group tag “kas2”. The decrypted configuration files contain a list of targets already seen in previous campaigns with one exception: the site coinbase.com have been added to the monitored sites for web injections. Specifically, it was appended to the “sinj” (static injection) configuration file:

Coinbase is a crypto-currency exchange site that operates exchanges of Litecoin, Bitcoin, Ethereum, and other digital assets. With Coinbase being targeted, non-traditional currencies are now also at risk of being stolen from would-be victims of the Trickbot banking trojan.

Protection statement

Forcepoint™ customers are protected against this threat via Forcepoint Cloud Security, which includes the Advanced Classification Engine (ACE) as part of e-mail, web and NGFW security products. ACE (also known as Triton ACE) provides signature-less analytics to identify malicious intent, including evasion techniques to mask the malware.

Protection is in place at the following stages of attack:

Stage 2 (Lure) - Malicious e-mails associated with this attack are identified and blocked.
Stage 5 (Dropper File) - Trickbot variants are prevented from being downloaded.
Stage 6 (Call Home) - Attempts by Trickbot to contact its C&C server are blocked.


Roughly a year ago, we reported threat actors’ potential interest in targeting crypto-currencies in the form of code updates to the infamous Dridex banking Trojan. We are now seeing similar developments in Trickbot, with the perpetrators adding a digital currency exchange website to the list of their targets.

Forcepoint Security Labs will continue to monitor this threat.

Indicators of Compromise

Document Downloader


Download Site


About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.