Starting as a banking trojan, TrickBot has been continuously evolving to perform a variety of malicious behavior. It is known for leveraging the current affairs to lure its victims, andmost recently, it has been observed leveraging the theme of ‘Black Live Matter’ to target its victims.
Capitalizing on the Black Lives Matter movement
A new Trickbot phishing campaign was discovered amidst widespread protests across the U.S.
- In June 2020, the campaign lured Americans by pretending to be from "Country Administration," and asked recipients to "Vote anonymously about 'Black Lives Matter'".
- The email prompts recipients to fill out and return an attached document. It tricks them into enabling the macros that download and execute a malicious DLL for the TrickBot trojan.
- The trojan downloads further modules to steal files, passwords, spread laterally throughout the network, and also allows other threat actors to install additional malware.
Past attacks by Trickbot
- In June 2020, Panda Security discovered a new phishing campaign in which the TrickBot trojan deployed a new module called ‘BazarBackdoor’ to compromise and gain full access to corporate networks.
- In May 2020, Palo Alto Networks observed that TrickBot updated one of its propagation modules known as “mworm” to a new stealthy malware spreading module called “nworm” that helps avoid detection.
- In April 2020, Microsoft said that based on Office 365 ATP data, Trickbot is the most prolific malware operation using COVID-19 themed lures.
- In April 2020, IBM X-Force uncovered a new Trickbot campaign that targeted email recipients with fake messages purporting to come from the U.S. Department of Labor (DoL), leveraging the Family and Medical Leave Act (FMLA).
Most of the cyberattacks begin with a spear-phishing email and most of these targeted emails use malicious file attachments to deliver malicious payloads. Users should use spam filters, multi-factor authentication, data backups, and enable automatic software updates to deal with any new security threats.