TrickBot is a well known modular banking trojan that sometimes acts as an info-stealer or malware dropper. Active since 2016, it has been updated several times with new features and modulations. Recently, it was used along with Ryuk ransomware to target several organizations.
Top targets
TrickBot is used in various attack campaigns to provide a gateway inside a targeted network and act as a dropper to deploy additional ransomware (e.g., Conti, Ryuk, and Emotet). However, it is mostly used to steal information from financial institutions located in the U.S.
In August 2020, it was used in Emotet’s spam campaign sending COVID-19 related emails to U.S. businesses.
In the month of July, TrickBot was observed being installed along with Emotet to infect Windows computers.
In April 2020, TrickBot operators were also observed to be taking advantage of the coronavirus pandemic by sending spam emails related to the Department of Labor FMLA theme.
Modus operandi
TrickBot used several techniques of propagation ranging from smishing, COVID-19 lures, and spam emails, to brute-forcing Remote Desktop Protocol (RDP) endpoints and using the mworm module.
TrickBot's Anchor malware platform known as “Anchor_DNS” was ported to infect Linux devices in July.
At the beginning of July, TrickBot started a new technique of evading detection by checking the screen resolutions of victims to identify if they are running virtual machines or not.
In early-June 2020, the TrickBot operators were found to be using the BazarBackdoor to gain access to targeted networks.
No comments:
Post a Comment