‘When life gives you a second chance, give your best shot’ and that’s what the operators of TrickBot trojan are doing after coming back to life. Ever since its re-emergence following the major takedown in 2020, the operators have released new and more persistent versions of the malware to claim successful attacks on victims. 

What do the reports say? 

According to ESET researchers’ telemetry, the infection rate of the trojan doubled from last year as it boasted new features. 
  • Some of the recent features include a new VNC module and an ‘injectDll’ module to monitor high-profile targets and steal banking details, respectively. 
  • The Global Threat Report for September 2021 by Check Point research also revealed that TrickBot continued to be one of the prominent malware used to target multiple organizations. 
  • The trojan regained its top position after having fallen into second place following a three-month-long reign.

Recent attack observed 

  • A fresh phishing campaign involving the TrickBot trojan was observed despite the recent arrest of two of its gang members.
  • In a series of tweets, Malwarebytes Threat Intelligence revealed that the trojan was used as a part of a new phishing campaign that was distributed via malicious Office files.
  • The attack campaign used the DLL sideloading attack technique to evade detection.  

The persisting BazarCall campaigns

  • The past few months also witnessed the evolution of a new phishing attack dubbed BazarCall that employed BazarLoader, another malware from the same threat actor gang. 
  • As a part of the attack, the users received an email that urged them to call the attackers to cancel a trial that is automatically charged. 
  • Upon calling the number, the victim is redirected to a phishing page that prompts them to share their login details.  
  • Besides making use of a fake call center setup, the malware also abused Slack and BaseCamp clouds as a part of social engineering techniques.   

The bottom line

TrickBot has evolved into one of the most widely recognized botnets in existence. In recent times, the malware has also been linked to many ransomware groups due to its versatility and resilience. Once on the machine, it moves laterally through networks and gathers as many credentials as possible. Upon gaining full control of the environment, the operators of TrickBot make sure that the remaining damage is done by the ransomware, leaving very few to no options to contain the attack.

Cyware Publisher