Trickbot is back again - with fresh phishing and malware attacks

The Trickbot botnet was disrupted by a coalition of cybersecurity companies late last year - but researchers have detailed what appears to be a new Trickbot campaign.
Written by Danny Palmer, Senior Writer

Trickbot malware is back with a new campaign – just a few months after its operations were disrupted by a coalition of cybersecurity and technology companies.

Initially starting life as a banking trojan, Trickbot evolved to become a highly popular form of malware among cyber criminals, particularly because its modular nature allowed for it to be used in many different kinds of attacks.

These include the theft of login credentials and the ability to propagate itself around the network spreading the infection further.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

Trickbot even became a loader for other forms of malware, with cyber criminals taking advantage of machines already compromised by Trickbot as a means of delivering other malicious payloads, including ransomware.

In October last year, a takedown led by Microsoft disrupted the infrastructure behind the Trickbot malware botnet, but now it appears to be coming back to life as researchers at Menlo Security have identified an ongoing malware campaign that has the hallmarks of previous Trickbot activity.

These attacks appear to be exclusively targeting legal and insurance companies in North America, with phishing emails encouraging potential victims to click on a link that will redirect them to a server that downloads a malicious payload.

Many of these emails are claiming that the user has been involved in a traffic infringement and points them towards a download of the 'proof' of their misdemeanor – a social-engineering trick that can catch people off guard and panic them into downloading. In this case, the download is a zip archive that contains a malicious Javascript file – a typical technique deployed by Trickbot campaigns – which connects to a server to download the final malware payload.

Analysis of this payload indicates that it connects to domains that are known to distribute Trickbot malware, indicating that it's once again active and could pose a threat to enterprise networks.

"Where there's a will, there's a way. That proverb certainly holds true for the bad actors behind Trickbot's operations," said Vinay Pidathala, director of security research at Menlo Security.

"While Microsoft and it's partners' actions were commendable and Trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment," he added.

SEE: Cybersecurity: This 'costly and destructive' malware is the biggest threat to your network

An advisory on Trickbot by the UK's National Cyber Security Centre (NCSC) recommends that organisations use the latest supported versions of operating systems and software and to apply security patches in order to stop Trickbot and other malware exploiting known vulnerabilities to spread.

It's also recommended that organisations apply two-factor authentication across the network, so that in the event of one machine being compromised by malware, it's much harder for it to spread.


Editorial standards