Share this article on:
The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint security alert about TrickBot malware. TrickBot was first identified in 2016 and started out as a banking Trojan; but the malware has since had a host of new capabilities added and is now extensively used as a malware loader for delivering other malware variants, including ransomware such as Ryuk and Conti.
“TrickBot has evolved into a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities,” explained CISA/FBI in the alert.
In late 2019, TrickBot survived an attempt by Microsoft and its partners to disrupt its infrastructure and spam campaigns distributing the malware soon recommenced, with TrickBot activity surging in recent weeks. Earlier this month, Check Point researchers warned about an increase in TrickBot infections following the takedown of the Emotet botnet. TrickBot was the 4th most prevalent malware variant in 2020 and rose to third in January 2021; however, since the Emotet botnet was disrupted, TrickBot has become the most widely distributed malware variant and tops Check Point’s malware index for the first time.
TrickBot was used in the ransomware attack on Universal Healthcare Services that took systems offline for several weeks. TrickBot was used to gain access to UHS systems and detect and harvest data, after which the malware delivered the Ryuk ransomware payload. The attack caused UHS to suffer losses of $67 million in 2020.
TrickBot is capable of lateral movement via the Server Message Block (SMB) Protocol, exfiltrates sensitive data from victim systems, and is capable of cryptomining and host enumeration. “TrickBot operators have a toolset capable of spanning the entirety of the MITRE ATT&CK framework, from actively or passively gathering information that can be used to support targeting to trying to manipulate, interrupt, or destroy systems and data,” explained CISA/FBI.
CISA has developed a snort signature for detecting network activity associated with TrickBot malware and the CISA/FBI alert also details cybersecurity best practices that make it harder for TrickBot to be installed and will help to harden systems against network propagation.