The TrickBot banking trojan has added support for stealing funds stored in Coinbase.com accounts, according to a recent version spotted in a distribution campaign last week.

The TrickBot banking trojan is a new malware strain that appeared in the autumn of 2016 and most experts believe it was developed by some of the developers who worked on the now defunct Dyre banking trojan, some of whose operators were arrested in late 2015 in Russia.

TrickBot's short history

The involvement of malware coders with serious expertise was obvious from the beginning, as TrickBot was a well put together malware strain that featured many advanced features right from the get-go.

As time went by, TrickBot's ability to target online banks expanded from one country — Australia — to more and more with each month.

Currently, TrickBot can infect users and overlay fake web pages to hijack banking portals for banks in over ten countries.

Back in June, TrickBot received its biggest update when it also gained the ability to target PayPal accounts and the login pages of several well-known CRMs — web applications used in enterprise environments.

One month later, in July, the ever-busy TrickBot crew added a self-spreading worm component that would allow the banking trojan to spread to nearby computers using SMB connections.

TrickBot adds support for targeting cryptocurrency users

August's update was as juicy as the last two months. According to TrickBot samples discovered by Forcepoint security researchers, TrickBot includes a section in its configuration files that instructs it to overlay a fake login page whenever the user visits Coinbase.com in his browser.

Coinbase is one of today's biggest web-based cryptocurrency wallet services. With Bitcoin's price going over $5,000 for a few short minutes on Friday and hovering around $4,500 since then, the incentives to steal a person's Coinbase credentials are obvious, as crooks could transfer Bitcoin or other cryptocurrency funds from hijacked Coinbase accounts to their own.

< sinj > < mm >https://www.coinbase.com*< /mm > < sm >https://www.coinbase.com/*< /sm > < nh >sascpdibusvxghkoeltfjwznmrac.edu< /nh > < url404 >< /url404 > < srv >210.16.101.54:443< /srv > < /sinj >

Last year, the Dridex crew tested a version of their banking trojan that could dump data from locally installed Bitcoin wallet apps. This version of TrickBot doesn't support this feature, but only works by phishing the user's Coinbase creds when visiting the site.

Forcepoint says this version of the TrickBot trojan was spotted last week in a small spam campaign posing as documents sent by the Canadian Imperial Bank of Commerce (CIBC), meaning it probably only targeted Canadian users.

With Bitcoin's price continuing to go up, chances are we'll see this latter TrickBot version spread to users in other countries.

Image credits: sobinsergey, Bleeping Computer