There have been many attempts to take down Trickbot. Microsoft led the most recent in October 2010. However, like bindweed, which is almost impossible to eradicate, Trickbot was soon up and running. Menlo Security says it has now seen Trickbot involved in attacks against the legal and insurance verticals in North America.
The attack involves an email with a link to a URL. This is a new approach for Trickbot and could signal a move away from the use of infected documents.
In a blog on the Menlo Security website, Vinay Pidathala, Director of Security Research, writes: “This ongoing campaign that we identified exclusively targeted legal and insurance verticals in North America. The initial vector appears to be an email, which includes a link to a URL. While in the past Trickbot has used weaponized documents, the infection mechanism detailed in this campaign seems to be a new modus operandi used by this group.
“Once the user clicks on the initial URL in the email, the user is redirected to a compromised server that coaxes the user into downloading a malicious payload.”
What is Trickbot?
Like other malware, Trickbot is a malware that has evolved over several years. It was originally identified in 2016 as a banking trojan. In that guise, it accesses online bank accounts and steals Personally Identifiable Information (PII). It uses the Mimikatz toolkit, developed in 2014, which is still actively being maintained and developed.
Over the years, however, it has evolved significantly. It has added a self-propagating worm, attacked security software and stolen access keys to VPN software. It has also rented out its infrastructure to cybercriminals for other campaigns. This has seen it deliver ransomware and other toolkits.
In October 2020, Microsoft announced that it had led an operation that had taken down over 94% of its infrastructure. Unfortunately for Microsoft, Trickbot has shown its ability to regrow, just like bindweed.
Within days of the Microsoft operation, the FBI, DHS and CISA warned of a new Trickbot campaign. That campaign was targeted at US hospitals and healthcare providers and saw the RYUK ransomware distributed using Trickbot.
In an Enterprise Times Security Podcast with Matt Lock, Technical Director, Varonis, in December, Lock referred to the speed with which Trickbot recovered.
What do we know about this Trickbot attack?
According to Pidathala, the campaign contains an email with a link to a URL. He writes: “Once the user clicks on the initial URL in the email, the user is redirected to a compromised server that coaxes the user into downloading a malicious payload.”
There appear to be five files involved, including an image called bee.png. The webpage tells the victim they have “been detected with a traffic infringement.” It then provides a link for them to download what is said to be photo proof of the offence. Clicking on that link downloads a zip file containing a heavily obfuscated Javascript file.
At present, Pidathala says Menlo Security is still analyzing the binary payload. It doesn’t seem to have details yet on what is being stolen or a full list of infected files installed on the victims’ computer.
What is of particular concern is that many of the URLs used by this attack are not yet flagged as hosting malicious content. However, as usual in any malware campaign, most of the emails are coming from gmail, yahoo and educational establishments.
Enterprise Times: What does this mean?
Using an email to snare a victim by saying they’ve committed a crime is nothing new. It is an approach that has been used several times over the last five years alone and in multiple countries. Despite being nothing new, the problem here is that it will still ensnare its share of victims who fall for it.
People must read the emails carefully. No police force will send a warning for a traffic offence via gmail or some other free provider. Simply hovering over a link before clicking will make it obvious that these are malicious links. IT security teams need to update users’ advice warning them of such attacks.
A more worrying issue here is how quickly Trickbot has recovered from a takedown that should have seriously damaged it. Multiple campaigns in the three months after losing 94% of its infrastructure show just how resilient cybercrime networks are. In fact, many seem to have better recovery processes than the commercial companies they target. Last week, a Europol led initiative took down Emotet, another malware empire. How long before it re-emerges?
