The most recent version of the TrickBot banking trojan now includes a screenlocker component, suggesting the malware’s operators might soon start holding victims for ransom if infected targets don’t appear to be e-banking users. The good news is that the screenlocker mechanism is not fully functional just yet, and appears to still be under development. Nonetheless, security researchers have spotted the new module dropped on victims’ computers, suggesting development is advanced enough to have reached field trials. Andy Norton, Director of Threat Intelligence at Lastline commented below.
Andy Norton, Director of Threat Intelligence at Lastline:
“If you’re going to the trouble of infecting a remote machine, you might as well try to monetise the infection in as many ways as possible.
We’ve seen this with Smoke Loader, and now TrickBot. In the same way that missiles have multiple warheads, TrickBot is adding payloads.
Probably its next warhead after it completes ransomware will be a cryptojacking payload.”