New malware freezes user's device in account takeover scheme

The one thing more valuable to consumers than their bank accounts might be their internet access — and a new version of the "Trickbot" trojan targets both.

The malware's developers appear to be experimenting with the option to lock a user’s computer screen, possibly as an alternative way to extort money. As banks, retailers and smartphone makers increasingly push consumers to adopt digital wallets, the threat of being cut off from their devices could be devastating to the nascent market.

klikk - stock.adobe.com

First seen in 2016, Trickbot is one of the most prevalent banking trojans: a piece of malware that targets online many banking systems, with the U.K. being one of its first targets. It is widely spread through malicious email campaigns: If you make the mistake of opening a malicious email attachment and then enabling macros, there is a good chance you will be infected with Trickbot.

For cybercriminals, targeting online banking systems is a rather obvious way to make money and banking trojans, as they are often called, have plagued the internet for well over a decade.

They have become skilled at stealing money without the user realizing it. Some, for instance, not only siphon off funds to a third-party account (often the accounts of money mules) but also remove these transactions from the user’s view when they access their online banking site and even mask the total available amount on the fly.

Many banking trojans also have a mobile component that a victim is tricked into installing, to intercept the SMS messages used to authenticate a user or confirm a transaction.

However, online banking systems have also significantly improved and the cybercriminals are constantly adapting their tools to bypass new security measures and continue to steal money from the targeted banks.

In recent years, Trickbot has been at the forefront of these developments and the malware regularly adds modules. Last autumn, it added the ability to use ‘ETERNALBLUE’ (the exploit, originally written by the NSA, which WannaCry used) to spread a local network, thus increasing it chance of ‘hitting’ a machine from which online banking was performed.

Last month, researchers at the security firm Webroot have found an early version of a different kind of module, that has the ability to lock a user out of the computer.

Screenlockers have been used by malware for quite some time. Unlike ransomware, which encrypts important files, screenlockers almost always can be bypassed, but for an average user it is often far from trivial to do so.

Moreover, many screenlockers claim to be operated by law enforcement and the extortion request is presented as a fine for some kind of illegal activity. Many users have fallen for this trick, sometimes because they were too embarrassed about this apparent illegal activity to ask for help.

Technically, screenlockers are far less complicated than banking trojans and it may seem counterintuitive for such an advanced piece of malware to add such a basic component.

However, a banking trojan can only be successful if the infected device is actually used to perform online banking and then only if the bank is one whose systems have been added to the trojan: Most trojans target banks in specific regions, or simply avoid those whose systems are deemed too hard to attack.