It seems that the creators of the notorious Trickbot Trojan, continue to evolve their malicious software by adding a new custom item derived from the BokBot code used in Web Injections attacks and affecting popular browsers.
BokBot, also known as IcedID, was first discovered by IBM's X-Force team at the end of 2017 and is also a banking trojan. It has the ability to redirect its victims to bogus online banking sites, but also to cling to a browser and to promote fake content on the front pages of banks.
Security researcher Brad Duncan recently saw Trickbot containing the new web injection element being downloaded by Ursnif (aka Gozi ISFB) malware.
The attack starts with an infected Office Word file that runs one PowerShell script to download trojan Ursnif. The infected device also receives the Trickbot variant containing the BokBot / IcedID component, which can track and modify the data flow on the web.
A system infected with the new version of Trickbot was discovered in July 5 and contains a configuration file.
Analyzing it most, their similarity was discovered with the BokBot man-in-the-browser tool, used to promote false data in the victim's results.
In a thread at Twitter, Kremez notes that the interesting part is that this item seems to have been tailored specifically to TrickBot or other fraudulent banking based on the installer of this family malware.
The malicious add-on acts as a local proxy server, located between the customer and the online banking service. From this point, he can enter a fake profile of the bank that the user searched for and collect financial information.