Malware Profile: TrickBot targets industrial organizations

Image courtesy: Brett Sayles
Image courtesy: Brett Sayles

TrickBot malware is a banking Trojan released in 2016, but it has since evolved well past that. It is now a modular, multiphase malware capable of a wide variety of illicit operations, from stealing credentials and data, to installing backdoors to enable remote access, to downloading and installing other malware or ransomware to carry out secondary attacks.

Perhaps the most concerning thing about TrickBot is how modular it has become. According to Crowdstrike, it “can adapt and evolve to target specific network or environment weaknesses which can then be exploited during follow-on malware or ransomware attacks.”

Malware Name

TrickBot

Malware Type

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a security advisory on TrickBot in May 2021, warning of continued targeting through spearphishing campaigns. According to the release, cyber criminals are “luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot.”

TrickBot was first identified in 2016 and was designed as a banking Trojan to steal financial data. It has since evolved into a highly modular, multistage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities.

What Is TrickBot?

Per CISA, “TrickBot is an advanced Trojan that malicious actors spread primarily by spearphishing campaigns using tailored emails that contain malicious attachments or links.” Some attacks have been known to use phishing emails, claiming to contain proof of a traffic violation. The emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. If the victim clicks on the photo, they download a malicious JavaScript file that automatically communicates with the malicious actor’s command and control server to download TrickBot to the victim’s system.

Impact and Implications

According to CISA and the FBI, attackers can use TrickBot to load other malware, such as Ryuk and Conti ransomware, or serve as an Emotet downloader.

“TrickBot uses person-in-the-browser attacks to steal information, such as login credentials. Additionally, some of TrickBot’s modules spread the malware laterally across a network by abusing the Server Message Block (SMB) Protocol. TrickBot operators have a toolset capable of spanning the entirety of the MITRE ATT&CK framework, from actively or passively gathering information that can be used to support targeting, to trying to manipulate, interrupt, or destroy systems and data.”

TrickBot is also capable of data exfiltration over a hardcoded C2 server, cryptomining and host enumeration.

Expert Analysis

CISA and FBI recommend the following best practices to strengthen the security posture of their organization’s systems to defend against TrickBot. System owners and administrators should review any configuration changes prior to implementation to avoid negative impacts.

  • Provide social engineering and phishing training to employees.
  • Consider drafting or updating a policy addressing suspicious emails  that specifies users must report all suspicious emails to the security and/or IT departments.
  • Mark external emails with a banner denoting the email is from an external source to assist users in detecting spoofed emails.
  • Implement Group Policy Object and firewall rules.
  • Implement an antivirus program and a formalized patch management process.
  • Implement filters at the email gateway and block suspicious IP addresses at the firewall.
  • Adhere to the principle of least privilege.
  • Implement a Domain-Based Message Authentication, Reporting & Conformance validation system.
  • Segment and segregate networks and functions.
  • Limit unnecessary lateral communications between network hoses, segments, and devices.
  • Consider using application allowlisting technology on all assets to ensure that only authorized software executes, and all unauthorized software is blocked from executing on assets. Ensure that such technology only allows authorized, digitally signed scripts to run on a system.
  • Enforce multifactor authentication.
  • Enable a firewall on agency workstations configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Implement an Intrusion Detection System, if not already used, to detect C2 activity and other potentially malicious network activity
  • Monitor web traffic. Restrict user access to suspicious or risky sites.
  • Maintain situational awareness of the latest threats and implement appropriate access control lists.
  • Disable the use of SMBv1 across the network and require at least SMBv2 to harden systems against network propagation modules used by TrickBot.
YOU MAY ALSO LIKE

GET ON THE BEAT

 

Keep your finger on the pulse of top industry news

RECENT NEWS
HACKS & ATTACKS
RESOURCES