Last week ForcePoint Security Labs, which has been tracking the TrickBot virus since it appeared in mid-2016, has concluded that it is now being spread by a botnet. TrickBot mostly targets banks, building societies and other financial institutions.
Many links in the code suggest that it was developed by the same people involved in Dyreza; although it was written from scratch, TrickBot contained many similarities to the earlier malware, for example using a similar loader. Initially, it was spread through a malvertising campaign, and was targeting banks in Australia; later that year, it moved to the UK, and later still, began to spread to financial institutions in countries including Germany and the USA.
"[Phishing] is a beautiful concept: it's emails from ADP, your payroll, your HR organisation - it's a beautiful form of attack" - Marcin Kleczynski, CEO of Malwarebytes
Last week, ForcePoint observed a malicious email campaign originating from the Necurs botnet. Necurs is an established net that has been active for at least five years, but this was the first time it was seen working with TrickBot. The campaign last from about 9am to 6pm BST, and ForcePoint alone stopped almost 10 million emails.
The emails followed one of three layouts: those claiming to carry an invoice (with attached PDF document); those with a nonsense subject of eight random digits (and attached PDF); and those with a blank subject (and attached .doc, claiming to be a scan of something). Both types of attachments contained a document file with a macro downloader, which downloaded the trojan itself.
TrickBot continues to widen its focus
It is interesting to note that the campaign contained the group tag 'mac1'. It downloaded configuration files with an updated list of targeted financial institutions. From 51 targeted URLs seen in the 'dinj' configuration file in April, there are now 130, including 16 French banks and a number of PayPal URLs.
The 'sinj' configuration file had been similarly expanded; from 109 URLs to 333, including 34 institutions in the Nordics.
Human error (social engineering) is commonly referred to as the weak spot in security processes. Marcin Kleczynski, of Malwarebytes told us at InfoSec that his company - remember, one of the world's premiere security firms - had phished its own employees recently:
"[I]t was a click-through rate of five to six per cent. The breakdown was as follows: sales organisation, finance organisation, marketing organisation. They clicked the emails, entered their credentials; even emailed the helpdesk asking them to help open it. The research organisation on the other hand was like, "Hey, we disassembled these files, we looked inside - what are you trying to do to us?"
Computing's Enterprise Security and Risk Management Summit 2017 will be held 23rd November at the Tower Bridge Hilton.
Australian government to require technology and communications companies to provide access to messages
New bill avoids demanding 'backdoors' in encryption, but includes measures to compel companies to provide access to encrypted communications
Indonesian overclocker Ivan Cupa (with the aid of a lot of liquid nitrogen) achieves record overclock on AMD's latest Threadripper
Ssupermassive black hole is so big it corresponds to four per cent of the galaxy's total mass
Imminent attack will target a single bank with cloned cards used to fraudulently withdraw millions over one weekend