The infamous Trickbot botnet is back again with new phishing and malware campaigns mostly targeting insurance and legal enterprises in North America. An analysis from Menlo Security found an ongoing malware campaign in which Trickbot operators leveraged various phishing techniques to trick users into clicking and downloading the Trickbot malware on their devices.
Once the user clicks on the malicious link in the email, it redirects the user to a compromised server that prompts the victim into downloading the malicious payload. The redirected page contains a Download Photo Proof button, which, if clicked, downloads the malicious JavaScript to compromise the victim’s device.
“The initial vector appears to be an email, which includes a link to a URL. While in the past, Trickbot has used weaponized documents, the infection mechanism detailed in this campaign seems to be a new modus operandi used by this group,” Menlo Security said.
The Trickbot Botnet
Previously, Trickbot malware was a banking Trojan and evolved as a prolific malware used in several cyberattacks against businesses and individuals across the globe. Trickbot is specially crafted malware used to access victim’s online accounts to obtain personally identifiable information (PII). Trickbot malware was linked to numerous malware and ransomware attacks in 2020, leveraging COVID-19 themed emails.
Trickbot’s Capabilities
- Lateral movement in the network for maximum damage
- Exfiltrating user credentials from browsers
- Exfiltrating Active Directory Services databases
- Stealing cookies and OpenSSH keys
- Theft of RDP, VNC, and PuTTY Credentials
- Installing additional payloads like ransomware
The Comeback
In October 2020, Microsoft disrupted Trickbot operations and infrastructure by working along with telecommunications providers around the world. “We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems,” Microsoft said.
While the actions of Microsoft and its partners resulted in a dip in Trickbot’s operations, the latest signs of its phishing campaigns are again fueling fears of the forgotten malware.