Trickbot trojan shows that it continues to evolve as its operators have started to deploy a custom proxy module to victims. This new component is derived from BokBot's code for web injection attacks and works with popular web browsers.
BokBot is a banking trojan also known as IcedID that emerged towards the end of 2017. Discovered by IBM's X-Force team, the malware can redirect victims to fake online banking sites or attach to a browser process to inject fake content on the original bank pages.
Security researcher Brad Duncan recently saw Trickbot with its new web inject component being downloaded by the Ursnif (a.k.a. Gozi ISFB) malware.
The infection chain starts with a malicious Office Word document, which deploys a PowerShell script to download the Ursnif trojan. The host compromised in this way also receives the Trickbot variant with the BokBot/IcedID proxy module that can intercept and modify web traffic.
