{ "id": "e7e6e529-1fdf-4120-aaea-2304c64a834f", "created_at": "2026-04-06T00:14:37.716617Z", "updated_at": "2026-04-10T03:36:11.24333Z", "deleted_at": null, "sha1_hash": "ebd7450a46a3040dcdbaeb65f458bd52360996f4", "title": "TrickBot adds new trick to its arsenal: tampering with trusted texts | Malwarebytes Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 281775, "plain_text": "TrickBot adds new trick to its arsenal: tampering with trusted\r\ntexts | Malwarebytes Labs\r\nBy Jovi Umawing\r\nPublished: 2019-09-02 · Archived: 2026-04-05 20:27:37 UTC\r\nResearchers from Dell Secureworks saw a new feature in TrickBot that allows it to tamper with the web sessions\r\nof users who have certain mobile carriers. According to a blog post that they published early last week, TrickBot\r\ncan do this by “intercepting network traffic before it is rendered by a victim’s browser.”\r\nIf you may recall, TrickBot, a well-known banking Trojan we detect as Trojan.TrickBot, was born from the same\r\nthreat actors behind Dyreza, the credential-stealing malware our own researcher Hasherazade dissected back in\r\n2015. Secureworks named the developers behind TrickBot as Gold Blackburn.\r\nTrickBot rose into prominence when it rivaled Emotet and became the number one threat for businesses in the last\r\nquarter of 2018.\r\nBefore it took yet another step up its evolutionary ladder, TrickBot already has an impressive repertoire of\r\nfeatures, such as a dynamic webinject it uses against financial institution websites; a worm module; a persistence\r\ntechnique using Windows’s Scheduled Task; the ability to steal data from Microsoft Outlook, cookies, and\r\nbrowsing history; the means to target point-of-sale (PoS) systems; and the capability to spread via spam messages\r\nand moving laterally within an affected network via the EternalBlue, Eternal Romance, or the EternalChampion\r\nexploit.\r\nNow, more recently, the same webinject feature is used against the top three US-based mobile carriers: Verizon\r\nWireless, T-Mobile, and Sprint. Augmentation to accommodate attacks against users of these companies was\r\nadded to TrickBot on August 5, August 12, and August 19, according to Dell Secureworks.\r\nHow does the attack work?\r\nWhen users of affected systems decide to visit legitimate websites of Verizon Wireless, T-Mobile, or Sprint,\r\nTrickBot intercepts the response from official servers and passes it on to the threat actors’ command-and-control\r\n(C\u0026C) server, jump starting its dynamic webinject feature. The C\u0026C server then injects scripts—specifically,\r\nHTML and JavaScript (JS) scripts—within the affected user’s web browser, consequently altering what the user\r\nsees and doesn’t see before the web page is rendered. For example, certain texts, warning indicators, and form\r\nfields may be removed or added, depending on what the threat actors are trying to achieve.\r\nDell Secureworks researchers were able to capture proof of certain changes TrickBot make on the original page of\r\nmobile carrier sites.\r\nhttps://blog.malwarebytes.com/trojans/2019/09/trickbot-adds-new-trick-to-its-arsenal-tampering-with-trusted-texts/\r\nPage 1 of 4\n\nAbove is a side-by-side comparison of Verizon Wireless’s sign in page before (image of the right) and after (image\r\non the left) TrickBot tampered with it. Aside from some texts missing, notice also new added fields, specifically\r\nthose asking for PIN numbers.\r\nIn the case of Sprint, the change is more subtle and quite seamless: an additional PIN form displays once users are\r\nable to successfully sign in with their user name and password.\r\nThe sudden targeting of mobile phone PINs suggests that threat actors using TrickBot are showing interest in\r\ngetting involved with certain fraud tactics like port-out fraud and SIM swap, according to the researchers.\r\nhttps://blog.malwarebytes.com/trojans/2019/09/trickbot-adds-new-trick-to-its-arsenal-tampering-with-trusted-texts/\r\nPage 2 of 4\n\nA port-out fraud happens when threat actors call their target’s mobile carrier to request the target’s number be\r\nswitched or ported over to a new network provider. SIM swapping or SIM hijacking works in a similar fashion,\r\nbut instead of changing to a new provider, the threat actor requests for a new SIM card from the carrier that they\r\ncan put in their own device.\r\nThese will cause all calls, MMS, and SMS supposedly for you to be sent to the threat actor instead. And if their\r\ntarget is using text-based two-factor authentication (2FA) on their online accounts, the threat actor can easily\r\nintercept company-generated messages to gain access to those accounts. This results in account takeover (ATO)\r\nfraud.\r\nSuch a scam is typically done when threat actors already got a hold of their target’s credentials and wish to\r\ncircumvent 2FA.\r\nHow to protect yourself from TrickBot?\r\nSo as not to reinvent the wheel, we implore you, dear Reader, to go back and check our post entitled TrickBot\r\ntakes over as top business threat wherein we outlined remediation steps that businesses (and consumers alike) can\r\nfollow. This post also has a section on preventative measures—ways one can lessen the likelihood of TrickBot\r\ninfection in endpoints—starting with regular employee education and awareness campaigns on the latest tactics\r\nand trends about the threat landscape.\r\nNote that Malwarebytes automatically detects and removes TrickBot without user intervention.\r\nI think I may have fallen victim to this. What now?\r\nThe best action to take is to call your mobile carrier to report the fraud, have your number blocked, and consider\r\nrequesting a new number. You can also report the scammers or fraudsters to the FTC.\r\nGo ahead and change the passwords of all your online accounts that you have tied in with your phone number.\r\nYou might also want to consider using stronger authentication methods, such as the use of time-based one-time\r\npasswords (OTP) 2FA—Authy and Google Authenticator comes to mind—for accounts that hold extremely\r\nsensitive information about you, loved ones and friends, and your business or employees.\r\nEnable a PIN on mobile accounts.\r\nLastly, familiarize yourself with the ways you can limit the possibility of a port out or SIM swap attack happening\r\nagain. WIRED produced a brilliant story on how to protect yourself against a SIM swap attack while Brian Krebs\r\nover at KrebsOnSecurity has a piece on how to fight port out scams.\r\nAs always, stay safe, everyone!\r\nAbout the author\r\nhttps://blog.malwarebytes.com/trojans/2019/09/trickbot-adds-new-trick-to-its-arsenal-tampering-with-trusted-texts/\r\nPage 3 of 4\n\nKnows a bit about everything and a lot about several somethings. Writes about those somethings, usually in long-form.\r\nSource: https://blog.malwarebytes.com/trojans/2019/09/trickbot-adds-new-trick-to-its-arsenal-tampering-with-trusted-texts/\r\nhttps://blog.malwarebytes.com/trojans/2019/09/trickbot-adds-new-trick-to-its-arsenal-tampering-with-trusted-texts/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://blog.malwarebytes.com/trojans/2019/09/trickbot-adds-new-trick-to-its-arsenal-tampering-with-trusted-texts/" ], "report_names": [ "trickbot-adds-new-trick-to-its-arsenal-tampering-with-trusted-texts" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434477, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ebd7450a46a3040dcdbaeb65f458bd52360996f4.pdf", "text": "https://archive.orkl.eu/ebd7450a46a3040dcdbaeb65f458bd52360996f4.txt", "img": "https://archive.orkl.eu/ebd7450a46a3040dcdbaeb65f458bd52360996f4.jpg" } }