Go to listing page

TrickBot Operators Mistakenly Alert Victims on Malware Activity

TrickBot Operators Mistakenly Alert Victims on Malware Activity
The Trickbot malware group has been evolving its malware capabilities via its modular and expandable tactics architecture. In early July 2020, the TrickBot malware was found checking the screen resolution of an infected computer as a way for an anti-VM check. But this time, its operators displayed some loose ends in their working style, as the TrickBot malware erroneously deployed a test module alerting on the malware activity during the testing phase.

What’s new

Recently, Advanced Intelligence's Vitali Kremez found a new mysterious password and cookie-stealing test module version "0.6.8" in the Trojan that TrickBot devs forgot to remove when it went live.
  • The researchers sandboxed TrickBot banking malware activity that was related to the distribution group_tag "chil48". During operation, the Grabber.dll module displayed a warning in the default browser alerting that the program is gathering information and that the victim should ask their system administrator.
  • The module allows the malware to steal a domain's Active Directory Services database, steal OpenSSH keys, and spread laterally throughout a network. 
  • The module also attempts to harvest saved browser credentials and cookies from Google Chrome, Microsoft Edge, Internet Explorer, and Mozilla Firefox.

Ransomware gangs’ howler

Several ransomware groups were seen making some blunders while targeting their victims even in the COVID-19 pandemic, including some highly-active groups.
  • In June 2020, the Maze ransomware gang had hit a New York design and construction firm instead of the Canadian Standards Association (CSA Group), after which they posted an apology to the wrongly targeted financial institution.
  • In March 2020, the DoppelPaymer crew incorrectly identified their victim as CDBank and started dumping data files, but they actually attacked the Community Development Bank.

Safety tips

Users should take regular backups of sensitive data to prevent a ransomware threat. Use an effective AV solution on all devices, including smartphones. Always avoid using pirated software and always download all applications only from official app stores.

Cyware Publisher