Trickbot Trojan Diversifying Malware Distribution channels
The tricky and clever mindset behind the malicious malware named Trickbot has reappeared in the cyber-attack world with advanced tricks for trapping the users and reinforcing them by diversifying the malware distribution channel, eventually directing Conti's deployment of ransomware.
According to the IBM X-Force report, the dangerous malware gang IT23 and Wizard Spider had become partners with cybercrime gangs named Hive0105, Hive0106 (Shathak or TA551), and Hive0107 which is responsible for the distribution of IcedID in early 2021, and another group that involved in the delivery of IcedID, Valak and QakBot malware families.
Corporate networks are being infected by these and other cybercrime vendors by hijacking email threads, faking customer response use and social engineering the employees through fake call center called Bazarcall.
Ole Villadsen and Charlotte Hammond researchers
Table of Contents
- Background of Trickbot malware
- Evolution of Trickbot malware
- Strength of Trickbot malware
- Comprehensive Detail on Trickbot malware
Trickbot is an ancient successor of ZeuS banking Trojan discovered in 2005, but it is mostly traced back to Dyre or Dyreza, which disappeared offline from the network in 2015. Trickbot came into being in 2016, which reuses Dyre's code and holding the banking credentials and web injects infrastructure.
Trickbot is becoming a malware empire with several plugin modules, crypto mining, and perseverance abilities. It's a growing association with ransomware infections. In earlier June 2019, the MS-ISAC noted a relationship between initial Trickbot infections and Ryuk ransomware attacks.
Trickbot became the center of focus of government and private entities in fall 2020.
By January 2019, an active movement of Ryuk ransomware was discovered attacking victims who Trickbot formerly attacked. Recently another movement of Emotet-Trickbot-Ryuk for deploying and initiating Ryuk ransomware.
In January 2019, we saw new capabilities added to already extensive bag of tricks in Trickbot. Its authors aren't finished updating Trickbot. Recently a new variant is founded that uses updated version of pwgrab module that grabs remote application credentials.
Noel Anthony, Threat Researcher Engineer at TrendMicro
The latest malware variant is becoming powerful by extracting users' credentials from remote management software such as RDP and VNC.
Emotet another malicious malware, proves that both Emotet and Trickbot emerged by the same group of authors having similar mindsets.
Trickbot is also known as TrickLoader, emerged in 2016 in the cyber world as a Trojan virus. It was founded for stealing banking credentials but evolved into a multi-purpose platform that is now becoming a danger for even home-based computers and networks.
Its main focus is to deceive financial services and online banking users. The malware would inaugurate fake browsing sessions, and fraudulent transactions would be carried directly from the victim's system.
Trickbot utilizes two webs injects types
- Redirection Attack, also called static injection, redirects the victim to fraudulent banking website replicas. The fraudulent website is hosted on cyber threat actors (CTA's) server and gains users' login credentials.
- Server-side injections, also called dynamic injections, extract the bank's server response and redirecting it to CTA's server. Before returning to the client, an extra code is added through which CTA steals banking credentials using form-grabbers.
Malware is mainly spread through phishing and MalSpam attacks, including spearphishing campaigns that send emails containing malicious links and attachments. After enabling such connections, Trickbot starts distributing.
In Corporate areas, Trickbot spreads through
- Network vulnerabilities: Malware destroys the Server Message Block (SMB) protocol of an organization which spreads information between other systems on the same network.
- Secondary Payload: It spreads through other secondary infections and powerful Trojans like Emotet.
The malware has evolved from banking Trojan to modular Windows-based crimeware solutions revealing its ability for maintaining and updating toolset and infrastructure. At the same time, law enforcement and industry groups put efforts to take it down. Wizard Spider group has been assigned with the development of Anchor, including BazarLoader and backdoor.
This year depends on the email campaigns that deliver Excel documents and call center tricks dubbed "BazaCall" to deliver malware to corporate users. June 2021 updated intrusions for augmenting distribution infrastructure, a partnership with two cybercrime affiliates by supporting hijacked email threads and fraudulent customer inquiry leads an organization to deploy Cobalt Strike Payload.
In late August 2021, an infection detected by IBM demonstrates that the Hive0107 affiliates adopted a new trick that informs the target companies by sending emails that their websites are executing distributed denial-of-service (DDoS) attacks on their servers, forcing the recipients to click on the link for evidence.
- Trickbot malware distributing ransomware against hospitals in October 2020
- Trickbot malware becomes the new top global threat used by cybercriminals
- Trickbot malware is the most dominant malware in June 2021
ITG23 has modified to ransomware economy through the creation of Conti ransomware-as-a-service (RaaS) and the use of BazarLoader and Trickbot payload for strengthening its impact.
This latest development depicts the strength of its connections with the cybercriminal ecosystems and its ability to leverage these relationships to expand the number of organizations infected by the malware.
October 2020 has revealed Trickbot and Emotet Trojan as the top two most harmful malware in October, and these are widely involved in ransomware attack increase against hospitals and healthcare providers. FBI and U.S Government agencies issued warning against a ransomware attack.
The estimation shows that about one million Trickbot infections are used worldwide for downloading and spreading file-encrypting ransomware like Ryuk, which is also distributed through Emotet Trojan.
Checkpoint Researchers (CPR) had reported that they had seen an increase in ransomware attacks by the start of the Coronavirus pandemic by taking advantage of the security gap as organizations organized to remote workspaces
Trickbot and Emotet strongly affecting the healthcare sectors. Trickbot is the most prominent banking Trojan that repeatedly updates itself with new abilities, distribution vectors, and features. Trickbot is flexible and can be distributed as a part of multi-purposed campaigns.
February 2021 has revealed that Trickbot Trojan has topped the Index for the first time. Check Point Researchers reported that cybercriminals started utilizing the malicious malware for performing malicious activities and used Trickbot for the purpose.
Trickbot was 4th most prominent globally during 2020, affecting 8% of organizations. It played a key role in the costly cyberattack of 2020, involving Universal Health Service (UHS).
Ryuk hit UHS, and the attack cost $67 million.
Check Point Researchers say that Trickbot is famous because of its versatility and success record in attacks and will be used by more cybercriminals.
The latest Global Threat Index for June 2021 has revealed that Trickbot is still the most malicious malware. Trickbot, the banking Trojan, and a botnet steals financial details, account credentials, and personally identifiable information within a network and drops ransomware.
Due to the down of the Emotet botnet, Trickbot had become famous. It is recently linked to a new ransomware strain called "Diavol." CPR states that Trickbot is the top malware that cybercriminals use for attack purposes.
Researchers elaborate that the goal of campaigns was to initiate the ransomware attacks and increase the delivery of Trickbot and BazarLoader, which increased Conti ransomware attacks. Trickbot is used as first-stage malware in cyberattacks
Proofpoint Researchers claim that Trojans of these types constitute 20% of malware noted in identified campaigns in the first half of 2021.
This trend increases the ability of ITG23 to infect more enterprise users, raises the risk for ransomware attacks, and demands more employee training.
The U.S government and Microsoft both put efforts through certain operations to exploits Trickbot infrastructure, but cybercriminals returned to conduct spam campaigns again. The group had repositioned itself among the top of cybercriminal activities.
Trickbot, the malicious Trojan stealing the user's banking credentials, emerged in 2005, then again appeared in 2016, and keeps updating itself. It is the most powerful malware, so organizations need to protect themselves against Trickbot Trojan.
To protect Villadsen said that organizations need to implement several security measures like:
- Network monitoring and multi-factor authentications.
- Organizations should offer phishing, cybersecurity, and social engineering training to employees.
- Organizations should search for Indicators of Compromise (IOCs) to detect such malware.
- Organizations Should block all suspicious IP addresses at the firewall level.
- Impose policy so that all suspicious emails are reported to the IT department to take action.
Such steps should be taken in every organization to protect and ensure the organization's security, which is the key element of each organization.