CISA/FBI Issue Joint Alert About Spear Phishing Attacks Delivering TrickBot Malware

Share this article on:

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint security alert about TrickBot malware. TrickBot was first identified in 2016 and started out as a banking Trojan; but the malware has since had a host of new capabilities added and is now extensively used as a malware loader for delivering other malware variants, including ransomware such as Ryuk and Conti.

“TrickBot has evolved into a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities,” explained CISA/FBI in the alert.

In late 2019, TrickBot survived an attempt by Microsoft and its partners to disrupt its infrastructure and spam campaigns distributing the malware soon recommenced, with TrickBot activity surging in recent weeks. Earlier this month, Check Point researchers warned about an increase in TrickBot infections following the takedown of the Emotet botnet. TrickBot was the 4th most prevalent malware variant in 2020 and rose to third in January 2021; however, since the Emotet botnet was disrupted, TrickBot has become the most widely distributed malware variant and tops Check Point’s malware index for the first time.

TrickBot was used in the ransomware attack on Universal Healthcare Services that took systems offline for several weeks. TrickBot was used to gain access to UHS systems and detect and harvest data, after which the malware delivered the Ryuk ransomware payload. The attack caused UHS to suffer losses of $67 million in 2020.

TrickBot is primarily distributed via spear phishing emails, which are tailored for the organization that is being targeted. The emails use a combination of malicious attachments and hyperlinks to websites where the malware is downloaded. In February, the TrickBot gang conducted a large-scale phishing campaign targeting the legal and insurance sectors that used a.zip file attachment containing malicious JavaScript for delivering the malware.

One of the most recent phishing campaigns uses fake traffic violation notifications as the lure to get recipients to open a “photo proof” of the traffic violation. Clicking the photo launches a JavaScript file that establishes a connection with the gang’s command and control (C2) server and TrickBot malware is downloaded onto the victim’s system.

TrickBot is capable of lateral movement via the Server Message Block (SMB) Protocol, exfiltrates sensitive data from victim systems, and is capable of cryptomining and host enumeration. “TrickBot operators have a toolset capable of spanning the entirety of the MITRE ATT&CK framework, from actively or passively gathering information that can be used to support targeting to trying to manipulate, interrupt, or destroy systems and data,” explained CISA/FBI.

CISA has developed a snort signature for detecting network activity associated with TrickBot malware and the CISA/FBI alert also details cybersecurity best practices that make it harder for TrickBot to be installed and will help to harden systems against network propagation.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On