TrickBot Trojan: A Short Analysis of the Modular Banking Malware

 TrickBot is a well known modular banking trojan that sometimes acts as an info-stealer or malware dropper. Active since 2016, it has been updated several times with new features and modulations. Recently, it was used along with Ryuk ransomware to target several organizations.

Top targets

TrickBot is used in various attack campaigns to provide a gateway inside a targeted network and act as a dropper to deploy additional ransomware (e.g., Conti, Ryuk, and Emotet). However, it is mostly used to steal information from financial institutions located in the U.S.

In August 2020, it was used in Emotet’s spam campaign sending COVID-19 related emails to U.S. businesses.

In the month of July, TrickBot was observed being installed along with Emotet to infect Windows computers.

In April 2020, TrickBot operators were also observed to be taking advantage of the coronavirus pandemic by sending spam emails related to the Department of Labor FMLA theme.

Modus operandi

TrickBot used several techniques of propagation ranging from smishing, COVID-19 lures, and spam emails, to brute-forcing Remote Desktop Protocol (RDP) endpoints and using the mworm module.

TrickBot's Anchor malware platform known as “Anchor_DNS” was ported to infect Linux devices in July.

At the beginning of July, TrickBot started a new technique of evading detection by checking the screen resolutions of victims to identify if they are running virtual machines or not.

In early-June 2020, the TrickBot operators were found to be using the BazarBackdoor to gain access to targeted networks.

Hackers targeted thousands of CRA, government service accounts in ‘credential stuffing’ attacks

 The federal government is warning Canadians not to reuse old passwords after thousands of accounts, including CRA logins, were targeted in a credential stuffing attack.

Hackers obtained and attempted to use the GCKey passwords and usernames of 9,041 people, the Treasury Board of Canada Secretariat said in a statement Saturday.

GCKey is the online authentication system that allows people access to Service Canada, Refugees and Citizenship Canada and more than two dozen other government departments.

For a third of the accounts affected, the hackers were successful in accessing government services online. Those accounts will be “further examined for suspicious activity,” the statement said.

As part of that attack and another recent incident, 5,500 CRA accounts were targeted.

STORY CONTINUES BELOW ADVERTISEMENT

The federal government said all compromised accounts have been disabled and those affected are being contacted. They will receive instructions on how to restore their GCKey or CRA MyAccount access.

Credential stuffing is a form of cyberattack that relies on databases of stolen login information made available through previous data breaches. The hackers use those credentials try to gain access to different online services.

FSCA and cybercrime — making sure the guard dog is guarded

The digital age is characterised by rapid change and the introduction of pioneering solutions that have the power to make a real difference. Unfortunately, with these innovative solutions comes increased exposure to cybercrime — a fact many South Africans are intimately familiar with, given that more than nine attempted attacks take place every second.

The truth is that no individual or business is immune to the possibility of an attack. Addressing this risk and the catastrophic consequences that come from it requires an intensive approach, something we as the Financial Sector Conduct Authority (FSCA) are aware of, take seriously and are investing in. As the authority responsible for regulating the way SA financial firms conduct themselves, we are required to stay ahead of the curve.

Our cybersecurity technology investments need to be targeted, business-driven, and focused on mitigating the threats and vulnerabilities of our current operations. Improving our ability to detect and respond to cyber threats swiftly is core to what we do. This thinking is important for us to avoid incidents of stolen intellectual property, lost customer data, crippling ransomware and other forms of cybercrime. This is why we have adopted a risk-based approach in our cybersecurity strategy, supported by a dedicated team that is charged with ensuring its implementation.