CISA/FBI Give Joint Advisory Regarding Spear Phishing Attacks Spreading TrickBot Malware

The Federal Bureau of Investigation (FBI) and the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have released a joint security advisory concerning TrickBot malware. This malware was first discovered in 2016 and began as a banking Trojan; today, it has many new capabilities and is broadly employed as a malware loader for sending other variants of malware, such as the ransomware Ryuk and Conti.

The CISA/FBI alert states that TrickBot has become a remarkably modular, multi-stage malware that gives its users a complete selection of tools to perform a variety of criminal cyber activities.

In the latter part of 2019, TrickBot overcame the effort of Microsoft and its associates to break up its infrastructure and spam activities circulating the malware shortly restarted, with TrickBot activity spiking in recently. At the beginning of March, Check Point researchers cautioned regarding increasing TrickBot infections right after the arrest of the Emotet botnet. In 2020, TrickBot was the 4th most rampant malware variant and went up to 3rd last January 2021. When the Emotet botnet was interrupted, TrickBot turned out to be the most extensively propagated malware variant and tops the malware index of Check Point for the first time.

The ransomware attack on Universal Healthcare Services involved TrickBot and systems were shut down for a few weeks. TrickBot was employed to obtain access to UHS systems and identify and collect information, then the malware sent the Ryuk ransomware payload. The ransomware attack resulted in $67 million worth of losses to UHS in 2020.

TrickBot is mainly propagated through spear-phishing emails, which are customized for the targeted company. The email messages utilize a mix of malicious file attachments and links to web pages with downloadable malware. In February, the TrickBot gang carried out a massive phishing campaign aimed at the legal and insurance industries that utilized file attachment that contains malicious JavaScript for sending the malware.

The most recent phishing campaigns make use of phony traffic violation notices as the bait to make recipients click to view a “photo proof” of the traffic violation. When the photo is clicked, a JavaScript file is launched that makes a connection with the command and control (C2) server of the gang then the TrickBot malware is installed in the system of the victim.

TrickBot can make a lateral movement through the Server Message Block (SMB) Protocol, copies sensitive information from breached systems, and can do crypto mining as well as host enumeration. TrickBot operators possess a set of tools that span the whole of the MITRE ATT&CK system, from passively or actively collecting data that may be employed to support targeting to attempting to manipulate, disrupt, or damage systems and information, revealed by CISA/FBI.

CISA has created a snort signature for uncovering network activity connected with TrickBot malware. The CISA/FBI advisory likewise specifies cybersecurity guidelines that make it more difficult to have TrickBot installed and will help to strengthen systems against system propagation.