Trickbot Is Back Again - With Fresh Phishing And Malware Attacks

Trickbot malware is back with a new campaign – just a few months after its operations were disrupted by a coalition of cybersecurity and technology companies.

Initially starting life as a banking trojan, Trickbot evolved to become a highly popular form of malware among cyber criminals, particularly because its modular nature allowed for it to be used many different kinds of attacks.

These include the theft of login credentials and the ability to propagate itself around the network spreading the infection further.

Trickbot even became a loader for other forms of malware, with cyber criminals taking advantage of machines already compromised by Trickbot as a means of delivering other malicious payloads, including ransomware.

In October last year, a takedown led by Microsoft disrupted the infrastructure behind the Trickbot malware botnet, but now it appears to be coming back to life as researchers at Menlo Security have identified an ongoing malware campaign which has the hallmarks of previous Trickbot activity.

These attacks appear to be exclusively targeting legal and insurance companies in North America, with phishing emails encouraging potential victims to click on a link which will redirect them to a server which downloads a malicious payload.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

Many of these emails are claiming that the user has been involved in a traffic infringement and points them towards a download of the 'proof' of their misdemeanor – a social engineering trick which can catch people off guard and panic them into downloading. In this case the download is a zip archive which contains a malicious Javascript file – a typical technique deployed by Trickbot campaigns – which connects to a server to download the final malware payload.

Analysis of this payload indicates that it connects to domains which are known to distribute Trickbot malware, indicating that it's once again active and could pose a threat to enterprise networks.

"Where there's a will, there's a way. That proverb certainly holds true for the bad actors behind Trickbot's operations," said Vinay Pidathala, director of security research at Menlo Security

"While Microsoft and it's partners' actions were commendable and Trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment," he added.

An advisory on Trickbot by the UK's National Cyber Security Centre (NCSC) recommends that organisations use the latest supported versions of operating systems and software and to apply security patches in order to stop Trickbot other malware exploiting known vulnerabilities to spread.

It's also recommended that organisations apply two-factor authentication cross the network so that in the event of one machine being compromised by malware, it's much harder for it to spread.

MORE ON CYBERSECURITY

• Emotet: The world's most dangerous malware botnet was just disrupted by a major police operation
• How to protect your organization against modular malware TechRepublic
• Ransomware: How clicking on one email left a whole business in big trouble
• Ransomware attacks on hospitals could soon surge, FBI warns CNET
• Cybersecurity 101: Protect your privacy from hackers, spies, and the government