Trickbot goes after cryptocurrency

Trickbot goes after cryptocurrency

Forcepoint Security Labs has encountered an ongoing Trickbot campaign, which appears to be targeting crypto-currencies. Trickbot is a banking Trojan known for targeting financial institutions. We recently observed Trickbot attacking Paypal. It also expanded its target list to include Nordic countries.

Today’s campaign uses Canadian Imperial Bank of Commerce as a social-engineering lure. Here is an example of the email:


The attached document disguises itself as a CIBC document. It includes a macro downloader which ultimately downloads and executes Trickbot variants.


Our systems have captured over 8600 related emails at the time of writing. France, Canada and the UK are the top three targets. However, the majority of recipients have “.com” top level domain (TLD).

The group tag “kas2” is used on the downloaded Trickbot variant. The configuration files decrypted contain a list containing targets that were seen in previous campaigns. One exception is the site which has been added to the sites monitored for web injections. It was specifically added to the “sinj (static injection) configuration files:


Coinbase is a cryptocurrency exchange site that offers exchanges for Bitcoin, Ethereum, Litecoin and other digital assets. Coinbase is now being targeted and non-traditional currencies could be stolen from potential victims of the Trickbot banking trojan.

The Global Awarded Magento POS – 2021 Stevie Awards Product Innovation winner provides you witha powerful Magento 2 POS extension as well as 24/7 support

Statement of protection

Forcepoint(tm), customers are protected from this threat through Forcepoint Cloud Security. This includes the Advanced Classification Engine, (ACE), as part of e mail, web, and NGFW security products. Triton ACE is also known as ACE. It provides signature-less analytics that can identify malicious intent and evasion techniques that can mask it.

The following stages of an attack are protected:

Stage 2 – Malicious emails associated with this attack have been identified and blocked.
Stage 5 (Dropper file) – Trickbot variations are not allowed to be downloaded.
Stage 6 – Call Home – Trickbot’s attempts to reach its C&C server by trickbot are blocked.


reported threat agents’ possible interest in targeting crypto-currencies via code updates to the Dridex banking Trojan. This was roughly one year ago. Similar developments are occurring in Trickbot. The perpetrators have added a website that allows digital currency exchange to their target list.

Forcepoint Security Labs will continue monitoring this threat.

Indicators for Compromise

Document Downloader


Visit our site

http://breakthroughgaming[. ]com/gym/reresergord.png


Cloud POS

Cloud POS software for your retail store. is a powerful cloud-based POS to sell your products in-store & on-the-go using any device, for any outlet.