Trickbot Malware Adds New Feature To Target Telecoms, Universities And Finance Companies

Windows 7 end of life: These are the security risks of running Microsoft's operating system now it's no longer... Windows 7 has received its last update from Microsoft - and now those who don't upgrade to a newer OS are at risk of falling victim to new attacks. Danny Palmer explains what to do to stay safe. Read more: https://zd.net/2uoAFIM

A new form of the infamous Trickbot malware is using never-before-seen behaviour in attacks targeting telecommunications providers, universities and financial services in a campaign that looks to be going after intellectual property and financial data.

The campaign, which has been active since at least January, has been discovered and detailed by researchers at cybersecurity company Bitdefender who warn that it's likely to still be active.

Trickbot has been in operation since 2016 and, while it started life as a banking trojan, the modular nature of the malware means it can be easily re-purposed for other means, which has lead to it becoming one of the most advanced and capable forms of malware attack delivery in the world today.

And now it has been updated with yet another new capability, with a module that uses brute force attacks against targets mostly in telecoms, education, and financial services in the US and Hong Kong. These targets are pre-selected based on IP addresses, indicating that the attackers are going after them specifically.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

There's also evidence that suggests that the attackers have some understanding of the targets – and their vulnerabilities – because rather than trying an infinite selection of usernames and passwords, the brute force attacks use a pre-defined list of usernames and passwords in an effort to crack into remote desktop ports.

"To us it looks like a targeted attack," Liviu Arsene, senior e-threat analyst at Bitdefender told ZDNet.

"The simple fact that they're using a list of usernames and passwords and not going through a whole dictionary attack either means they have some sort of knowledge or previous experience of what passwords IT admins use to manage those networks. They wouldn't be picking from a list of passwords unless this list has proven valuable in the past".

Once Trickbot gains access, the hackers look to move around the network with the aid of the EternalRomance SMB vulnerability, performing reconnaissance on the network then stealing credentials including browser information, usernames and passwords, sensitive documents, financial information, intellectual property and more.

The nature of the campaign's targets suggests that the attackers have very specific ideas in mind.

"They're going after critical information or intellectual property; telecoms services may give attackers surveillance capabilities, they can tap into telecommunications networks," said Arsene.

"Education and research means they may want to access intellectual property. And finance services probably has something to do with the stock market – something that can bring revenue to their cause," he added.

Trickbot is so widely used, it's almost impossible to determine who is behind this latest campaign and while large amounts of the command and control infrastructure is based in Russia, that's likely only because the attackers have easily been able to compromise machines in that region, which they've then made part of a botnet.

The campaign is still active and it's likely that those behind it – and those behind other Trickbot campaigns – will continue to modify the malware in new ways in order more easily achieve their malicious goals.

"The reason it has stuck and will continue to be used is precisely because it's modular. If a module doesn't yield good enough results or someone comes up with something improved, they'll definitely push it out," said Arsene.

"Malware is no longer something you deploy once and forget about, you build a backbone and then you start adding or removing features as you see fit – to serve any purpose basically," he added.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)    

However, organisations can protect against campaigns by Trickbot and other malware by following a few simple steps. First, make sure the network is patched with the latest security updates so that malware can't exploit known vulnerabilities – such as EternalRomance has been patched for years.

Secondly, restrict access to remote ports if possible and thirdly, ensure that those using them take advantage of multi-factor authentication, so if an attacker does successfully brute force a password, they can't get in because of that additional layer of security.

"It's the basic security steps you should be applying in any organisation," Arsene concluded.

MORE ON CYBERSECURITY

RECENT NEWS

Reassessing AI Investments: What The Correction In US Megacap Tech Stocks Signals

The recent correction in US megacap tech stocks, including giants like Nvidia, Tesla, Meta, and Alphabet, has sent rippl... Read more

AI Hype Meets Reality: Assessing The Impact Of Stock Declines On Future Tech Investments

Recent declines in the stock prices of major tech companies such as Nvidia, Tesla, Meta, and Alphabet have highlighted a... Read more

Technology Sector Fuels U.S. Economic Growth In Q2

The technology sector played a pivotal role in accelerating America's economic growth in the second quarter of 2024.The ... Read more

Tech Start-Ups Advised To Guard Against Foreign Investment Risks

The US National Counterintelligence and Security Center (NCSC) has advised American tech start-ups to be wary of foreign... Read more

Global IT Outage Threatens To Cost Insurers Billions

Largest disruption since 2017’s NotPetya malware attack highlights vulnerabilities.A recent global IT outage has cause... Read more

Global IT Outage Disrupts Airlines, Financial Services, And Media Groups

On Friday morning, a major IT outage caused widespread disruption across various sectors, including airlines, financial ... Read more