{
	"id": "a7ff3666-cd00-4432-9a91-b18ab5adfbb1",
	"created_at": "2026-04-10T03:21:06.964899Z",
	"updated_at": "2026-04-10T03:22:19.296187Z",
	"deleted_at": null,
	"sha1_hash": "63c7217f016c3ea2a7cb0eb8638d1bf54c85916c",
	"title": "TrickBot: New attacks see the botnet deploy new banking module, new ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 94776,
	"plain_text": "TrickBot: New attacks see the botnet deploy new banking module,\r\nnew ransomware\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-18 · Archived: 2026-04-10 02:13:05 UTC\r\nOver the course of the past few weeks, new activity has been observed from TrickBot, one of today's largest\r\nmalware botnets, with reports that its operators have helped create a new ransomware strain called Diavol and that\r\nthe TrickBot gang is returning to its roots as a banking trojan with a new and updated banking module.\r\nIn a report from cybersecurity firm Fortinet, malware researchers Dor Neeamni and Asaf Rubinfeld detailed the\r\nTrickBot gang's newest work, the Diavol ransomware:\r\nPer Fortinet, Diavol was seen in the wild in only one incident, deployed alongside a version of the Conti\r\nransomware in what appeared to have been a test run.\r\nThe Diavol code also contained multiple similarities with the code for the Conti ransomware.\r\nFollowing this discovery, Fortinet said it believed Diavol was the work of the Wizard Spider gang, an\r\nindustry codename for the operators of the TrickBot botnet and the Conti ransomware.\r\nThe Diavol ransomware also reused some language from Egregor ransom notes, but no other connection\r\nhas been seen between the two.\r\nNo leak site has been discovered for Diavol yet.\r\nSurprisingly, Diavol did not come with code to prevent the ransomware from running inside former Soviet\r\nstates, something that is found in almost all major ransomware strains today.\r\nThe ransomware's name, Diavol, means \"devil\" in Romanian.\r\nBut while Diavol has been linked to the TrickBot creators, in a report published yesterday, security firm Kryptos\r\nLogic said it spotted changes to the TrickBot malware code itself.\r\nSince June 2021, TrickBot has been seen pushing a new module on infected computers. The new module\r\ncontains a revamped version of its old banking component that tries to intercept credentials for e-banking\r\nwebsites.\r\nCalled a \"webinject\" module, this component has been rewritten to include new methods to inject\r\nmalicious code inside banking websites.\r\nPer Kryptos Logic, this new code appears to have been copied from the old Zeus banking malware,\r\ndifferent from the two webinject techniques TrickBot had used in previous years.\r\nZeus-style injects work by proxying traffic through a local SOCKS server. If the web traffic matches a list\r\nof banking login URLs, the traffic is modified accordingly with malicious code to record credentials or\r\ncarry out other operations.\r\nPer Kryptos Logic, this new banking/webinject module shares substantial code with IcedID's webinject\r\nmodule.\r\nhttps://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/\r\nPage 1 of 3\n\nThe move to support Zeus-style web injects may be an attempt from the TrickBot gang to muscle into the\r\nterritory of other Malware-as-a-Service banking trojans and steal some of their customers in the\r\nunderground cybercrime market.\r\nThe resumption of development of the webinject module indicates that TrickBot intends to revive its\r\nbank fraud operation, which appears to have been shelved for over a year. The addition of Zeus-style\r\nwebinjects may suggest expansion of their Malware-as-a-Service platform, enabling users to bring their\r\nown webinjects.\r\nKryptos Logic Vantage Team.\r\nNo previous article\r\nNo new articles\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nhttps://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/\r\nPage 2 of 3\n\nactions against hackers.\r\nSource: https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/\r\nhttps://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/"
	],
	"report_names": [
		"trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775791266,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/63c7217f016c3ea2a7cb0eb8638d1bf54c85916c.pdf",
		"text": "https://archive.orkl.eu/63c7217f016c3ea2a7cb0eb8638d1bf54c85916c.txt",
		"img": "https://archive.orkl.eu/63c7217f016c3ea2a7cb0eb8638d1bf54c85916c.jpg"
	}
}