'Return of Trickbot' targeting the legal and insurance industry

The new method of the TrickBot botnet, which enabled ransomware attacks such as Ryuk, is characterized by using malicious links in emails, not malicious email attachments.

Despite the security industry's efforts to destroy the trickbot botnet, botnet operators are reviving the trickbotnet through a new infection campaign. The most recent campaigns the researchers observed have targeted legal and insurance companies. 

Security firm Menlo Security said in a report on Jan. 29, “In the most recent campaign we observed on Menlo Security cloud platforms around the world, attackers are an interesting way to convince users to click on the Used incentives. The campaign, which is still ongoing, is targeting the legal and insurance sectors in North America.” 

Trickbot that grew from a banking Trojan horse to a crimeware platform

Trickbot infected more than 1 million computers in 2016 targeting businesses and consumers. The botnet has often been spotlighted for its association with Ryuk, a highly sophisticated ransomware work that has hit many organizations and businesses around the world in recent years. 

Trickbot started out as a banking Trojan, but evolved into a crimeware platform in which operators sell access to infected computers to other groups of hackers trying to distribute their malware. The biggest customer of TrickBot is the Ryuk organization, which is why trickbot infections often precede Ryuk.

In October, Microsoft took legal action to confiscate the domain used to run its trickbot command and control server, then worked with other security vendors and ISPs to take over the server. The trickbot command and control server wasn't active until early November, but the researchers warned that the attacker was well done and could attempt to rebuild the botnet.

Latest trickbot campaign, infected with malicious URL

This campaign, detected by Menlo, contains a spam email containing a malicious URL, and when a user clicks this link, they are directed to a page displayed as automatic notification of negligence driving. There is a button on this page that lets you download a file that is supposed to be photographic evidence, and clicking it downloads a zip archive containing a malicious JavaScript file.

Menlo Security researchers said, “The embedded JavaScript was a typical technique for heavily obfuscated trickbot malware. When you open a JavaScript file that you download, HTTP request to download the final malicious binaries explained that achieved the command and control server. " 

The researchers are sure that the analysis of the payload itself Tricks Bots samples and take down the criminal difference, however, we note that the current detection rate of malicious URLs spreading via email and URLs downloaded with payloads is low TrickBot 

has a modular architecture with more than 24 known plugins supporting different functions. Last year, researchers warned of a worrisome development that could allow trickbots to detect insecure UEFI firmware and potentially infectious devices, or covertly deploy low-level backdoors through new modules.   

Using malicious URLs in emails is a rather unusual distribution technique of TrickBot, and traditional malicious codes are distributed through malicious email attachments (eg, malicious Word and Excel documents or Java Network Launch Protocol (JNLP) files). The malware was also widely transmitted through another botnet, Emotet, which was jointly shut down by police in several countries last week. 

"Where there is a will, there is a way," Menlo researchers said. "This proverb applies certainly to the malicious actors behind the operation of trickbots. Microsoft and its partners did commendable actions, and trickbot activity gradually declined. However, threat actors seem to be motivated enough to restore operations and monetize the current threat environment.”

Post a Comment