{
	"id": "39fed996-140b-4cac-b78a-8288df881050",
	"created_at": "2026-04-06T01:29:01.58858Z",
	"updated_at": "2026-04-10T13:12:27.021002Z",
	"deleted_at": null,
	"sha1_hash": "9a1f089fdc53b27a76759da54a45020d64f15476",
	"title": "TrickBot Ravages Customers of Amazon, PayPal and Other Top Brands",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 92855,
	"plain_text": "TrickBot Ravages Customers of Amazon, PayPal and Other Top\r\nBrands\r\nBy Tara Seals\r\nPublished: 2022-02-16 · Archived: 2026-04-06 00:43:40 UTC\r\nThe resurgent trojan has targeted 60 top companies to harvest credentials for a wide range of applications, with an\r\neye to virulent follow-on attacks.\r\nCyberattackers are targeting 60 different high-profile companies with the TrickBot malware, researchers have\r\nwarned, with many of those in the U.S. The goal is to attack those companies’ customers, according to Check\r\nPoint Research (CPR), which are being cherry-picked for victimization.\r\nAccording to a Wednesday CPR writeup, TrickBot is targeting well-known brands that include Amazon, American\r\nExpress, JPMorgan Chase, Microsoft, Navy Federal Credit Union, PayPal, RBC, Yahoo and others.\r\nClick to Register for FREE\r\n“Trickbot attacks high-profile victims to steal the credentials and provide its operators access to the portals with\r\nsensitive data where they can cause greater damage,” researchers noted in their report.\r\nOn the technical front, the variant that’s being used in the campaign has also added three interesting modules, and\r\nnew de-obfuscation and anti-analysis approaches, researchers added.\r\nTrickBot’s Back with a New Bag\r\nThe TrickBot malware was originally a banking trojan, but it has evolved well beyond those humble beginnings to\r\nbecome a wide-ranging credential-stealer and initial-access threat, often responsible for fetching second-stage\r\nhttps://threatpost.com/trickbot-amazon-paypal-top-brands/178483/\r\nPage 1 of 4\n\nbinaries such as ransomware.\r\nSince the well-publicized law-enforcement takedown of its infrastructure in October 2020, the threat has clawed\r\nits way back, now sporting more than 20 different modules that can be downloaded and executed on demand. It\r\ntypically spreads via emails, though the latest campaign adds self-propagation via the EternalRomance\r\nvulnerability.\r\n“Such modules allow the execution of all kinds of malicious activities and pose great danger to the customers of\r\n60 high-profile financial (including cryptocurrency) and technology companies,” CPR researchers warned. “We\r\nsee that the malware is very selective in how it chooses its targets.”\r\nIt has also been seen working in concert with a similar malware, Emotet, which suffered its own takedown in\r\nJanuary 2021.\r\nCPR in just its own telemetry found that TrickBot overall has seen more than 140,000 successful infections since\r\nthe takedown; and researchers noted that it’s back to taking first place in malware prevalence lists.\r\nFresh Modules for Rotting Infections\r\nThe version of TrickBot that CPR found being used in the current campaign sports three freshened-up modules of\r\nnote, researchers said:\r\ninjectDll\r\ntabDll\r\npwgrabc\r\nTrickBot’s ‘injectDll’: A Web-Injects Module\r\nWeb injects are well-known from the banking-trojan world; they are used to present targets with overlaid\r\nfacsimiles of real banking log-in sites; when a victim tries to sign on, they steal the credential data, and can pave\r\nthe way for drained bank accounts and fraudulent wire transfers down the road.\r\nThis particular module has added a web-injects format from the infamous Zeus banking trojan, researchers said,\r\nwhich collects information from login actions on targeted sites and sends it to a command-and-control server (C2).\r\n“The injectDll module performs browser data injection, including JavaScript which targets customers of 60 high-profile companies,” according to the writeup. “Add Trickbot’s cherry-picking of victims, and the menace becomes\r\neven more dangerous.”\r\nOn the anti-analysis front, the payload injected into the banking site’s page is minified (making the code size\r\nsmaller makes the code unreadable), obfuscated and contains anti-deobfuscation techniques, researchers said. The\r\nfinal payload, which contains the actual code that grabs the victim’s keystrokes and web form submit actions, is\r\nalso minified and obfuscated and contains a few layers of anti-deobfuscation techniques, they said.\r\n“Usually a researcher tries to analyze minified and obfuscated JavaScript code using tools like JavaScript\r\nBeautifiers, deobfuscators like de4js, and so on,” they explained. “After we applied these tools, we noticed that\r\nhttps://threatpost.com/trickbot-amazon-paypal-top-brands/178483/\r\nPage 2 of 4\n\nalthough the code became more readable, it also stopped working.”\r\nAnother anti-analysis technique they observed involved researchers sending automated requests to the C2 to get\r\nfresh web-injects: “If there is no ‘Referer’ header in the request, the server will not answer with a valid web-inject,” according to CPR.\r\n“We not only see variants created based on more recently successful malware, but we even see threat actors use\r\nmalware that is even twenty years old to generate new variants,” Saryu Nayyar, CEO and founder at Gurucul, said\r\nof the Zeus connection, via email. “As can be seen by TrickBot, even when a threat actor group is broken up, their\r\nlegacy lives on to as other groups can inherent their tools, tactics and procedures with their own modifications and\r\nimprovements to evade current detection techniques.”\r\nTrickBot’s ‘tabDLL’ Module\r\nThe second new development is a dynamic link library (DLL), also used to grab user credentials. Its ultimate goal\r\nis to spread the malware via network shares, researchers noted.\r\ntabDLL uses a multi-step process, as CPR laid out. In sequence, the module does the following:\r\n1. Enable the storing of user credential information in the LSASS application;\r\n2. Inject the “Locker” module into the legitimate explorer.exe application;\r\n3. From the infected explorer.exe, force the user to enter login credentials to the application, then lock the\r\nuser’s session;\r\n4. Store the credentials in the LSASS application memory;\r\n5. Grab the credentials from the LSASS application memory using Mimikatz, which is an open-source tool\r\nfor extracting data from an application’s memory;\r\n6. Report credentials to the C2;\r\n7. And, use the EternalRomance exploit to spread to other targets inside the network via SMBv1 network\r\nshares.\r\nTrickBot’s ‘pwgrabc’ Module\r\nThe pwgrabc module, as its name suggests, is a catch-all credential stealer for various applications.\r\nThe targeted applications are as follows: AnyConnect; Chrome; ChromeBeta; Edge; EdgeBeta; Filezilla; Firefox;\r\nGit; Internet Explorer; KeePass; OpenSSH; OpenVPN; Outlook; Precious; Putty; RDCMan; RDP; TeamViewer;\r\nVNC; and WinSCP.\r\nOverall, the campaign is a nice mix of skills, the researchers concluded.\r\n“Based on our technical analysis, we can see that TrickBot authors have the skills to approach the malware\r\ndevelopment from a very low level and pay attention to small details,” they said. “Meanwhile…we know that the\r\noperators behind the infrastructure are very experienced with malware development on a high level as well.\r\nTrickBot remains a dangerous threat.”\r\nhttps://threatpost.com/trickbot-amazon-paypal-top-brands/178483/\r\nPage 3 of 4\n\nJoin Threatpost on Wed. Feb 23 at 2 PM ET for a LIVE roundtable discussion, “The Secret to Keeping\r\nSecrets,” sponsored by Keeper Security, will focus on how to locate and lock down your organization’s most\r\nsensitive data. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete steps to\r\nprotect your organization’s critical information in the cloud, in transit and in storage. REGISTER NOW and\r\nplease Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.\r\nSource: https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/\r\nhttps://threatpost.com/trickbot-amazon-paypal-top-brands/178483/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/"
	],
	"report_names": [
		"178483"
	],
	"threat_actors": [],
	"ts_created_at": 1775438941,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9a1f089fdc53b27a76759da54a45020d64f15476.pdf",
		"text": "https://archive.orkl.eu/9a1f089fdc53b27a76759da54a45020d64f15476.txt",
		"img": "https://archive.orkl.eu/9a1f089fdc53b27a76759da54a45020d64f15476.jpg"
	}
}