Prolific banking trojan TrickBot has taken on a new challenge, with a new variant detected now targeting cryptocurrency exchanges.

The new version, detected by IBM Corp.’s X-Force security research team, follows the path of previous variants in using web injections to steal the target asset. But where previously the target asset was only credit card transactions, the new variant also targets bitcoin at the point it’s purchased.

“In the normal payment scenario, the user looking to buy coins provides their public Bitcoin wallet address and the amount of bitcoin to purchase,” the researchers explained in a blog post today. “When submitting this initial web-form, the user is redirected from the bitcoin exchange platform to a payment gateway on another domain, which is operated by a payment service provider. There, the user fills in their personal information as well as credit card and billing details and confirms the purchase of coins.”

It’s at this point TrickBot hijacks the coins, attacking notably both the exchange site and the payment service to do so.

If that’s not bad enough, the new TrickBot variant targets both sides of the transaction: It obtains the victim’s cryptocurrency exchange login credentials, wallet information and credit card information, allowing the attackers to continue to target the victim on multiple fronts.

“This means that even after the initial attack, cybercriminals can empty existing cryptocurrency wallets, make additional exchange purchases as the victim, and use the credit card information for whatever else they desire,” a spokesperson for IBM X-Force told SiliconANGLE.

Interestingly, the attack appears to be focused on one particular exchange, unnamed by the researchers but said to allow for the purchase of bitcoin and Bitcoin Cash by credit card. Coinbase Inc. was previously targeted by the same gang using an earlier credit card-stealing TrickBot variant in August.

In conclusion, the researchers noted that the new TrickBot variant demonstrates the sophistication of the gang behind it. “The scheme required extensive research of the targeted sites, their web logic and the security controls they use,” they said. “It highlights what we already know about this malware gang: it is a group that continues to study new targets and expand its reach.”

The bad news is that they also believe that there’s more to come: “As the theft of cryptocurrency becomes increasingly popular among financial malware operators, we expect to see a many more campaigns targeting the various platforms and service providers in the cryptocurrency sector.”

Image: IBM X-Force