TrickBot may sound like an engaging name for an impish bit of cyber play, but this Trojan malware is as serious as a heart attack.
As recently as March of 2021, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) announced that they have observed and are warning of ongoing TrickBot spearphishing campaigns in North America. This includes anticipated attacks on hospitals and healthcare systems rendered vulnerable as a result of the pandemic.
According to the FBI and CISA, TrickBot is “a Trojan developed and operated by a sophisticated group of cybercrime actors.” It originally surfaced in 2016 to steal the banking credentials of unsuspecting victims.
Over four years, it has evolved into “highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities.”
Its new reach targets numerous other industries, including healthcare, as well as government agencies at all levels.
TrickBot is actively being used by cybercriminals for two purposes:
Until recently, TrickBot was also being used to download Emotet, banking malware that steals sensitive financial data. However, in January 2021, authorities located and seized the Emotet infrastructure and shut it down. Score one for the good guys!
Phishing and spearphishing campaigns are the means of choice for cybercriminals seeking to infect systems with TrickBot. Personalized spoofed emails contain tempting bait, in the form of malicious links and/or attachments. The malware installation process is set in motion when the email recipient clicks on one bait or the other.
A popular ploy is a targeted email informing the recipient that they have been captured on camera in a traffic violation, They are cued to click on the email link or attachment to view proof of the violation. That click takes the reader to a malicious website which provides a link to the photographic proof of the traffic violation.
When the photo link on the website is clicked, a malicious JavaScript file is opened, causing the cybercriminal’s command and control server to download TrickBot into the victim’s system.
The ultimate goal, of course, is to steal sensitive individual or company information that can either be used for additional criminal purposes or sold for profit on the black market in cyberspace.
With so many cameras installed at intersections, storefronts, and elsewhere, it is not difficult to believe that you might have been caught speeding and are liable to be cited and fined. Hence the popularity of this particular ploy.
In addition to spearphishing campaigns, there are several other means of infecting systems with TrickBot. These include email spam campaigns, malvertising, and exploitation of network vulnerabilities like Server Message Block.
One of TrickBot’s technical tricks is to use man-in-the-browser attacks to steal information, such as login credentials, according to the FBI/CISA Alert.
In addition, some TrickBot modules can spread the malware laterally across a network by exploiting Server Message Block (SMB) vulnerabilities.
The TrickBot toolset can exploit the entire MITRE ATT&CK framework, from collecting data to use for email targeting to manipulating, interrupting, or destroying systems and data.
TrickBot is capable of data exfiltration, crypto mining, and host enumeration, such as the reconnaissance of Unified Extensible Firmware Interface or Basic Input/Output System firmware, according to the Alert.
In short, TrickBot is no joke. Network and system administrators need to make sure their cybersecurity defenses are current and strong. This includes hardening the weakest link in the security chain by launching employee security training immediately and ensuring periodic retraining.
The FBI and CISA have provided mitigation guidance to safeguard against TrickBot, including security best practices in both the public and private sectors. As always, they caution that any configuration changes or updates should be tested prior to implementation to prevent unexpected problems.
Following are their joint recommendations.
The CISA has developed a snort signature for detecting network activity associated with TrickBot, which is presented in its entirety in the FBI/CISA Alert.
For additional guidance, the FBI recommends reviewing the pages on MITRE ATT&CK Techniques as well as CISA Alert AA20-245A on malware discovery and remediation.
As noted in a previous blog on e-skimming, the importance of employee training, and periodic refresher training, can never be over-stated as a means of reducing risk. Unsuspecting employees have been responsible for activating TrickBot, however innocently.
Employee training in social engineering, phishing, and other ploys is crucial. Training should include lessons in the damage that can be inflicted on company networks and data by simply clicking on links or attachments in email messages. Train employees to be suspicious and teach them why they need to be. Instead of being the weakest links in the security chain, vigilant, well-informed employees can actually enhance your front-line defenses.
Because everyone learns a little differently, for the optimum effect, your cybersecurity awareness training should include a mix of components. These may include classroom training, virtual training such as online webinars and self-paced web-based training, newsletters and blogs, and regular email reminders and security quizzes.
The TrickBot Trojan is fairly new on the cybercrime scene but has wreaked serious havoc since it was first spotted in 2016. In March of 2021, the FBI and CISA announced recent observations of TrickBot in North America and issued a joint alert with mitigation recommendations and tools.
TrickBot installs malware to steal data, login credentials, and other information assets from vulnerable networks, and can also install ransomware. TrickBot relies on unsuspecting employees to click on tempting links provided in emails and attachments in targeted phishing campaigns, known as spearphishing.
CISOs should be aware of the ongoing TrickBot threat and ensure that all employees are fully trained to recognize and report suspicious emails. Network and system administrators should act quickly to harden security in accordance with FBI recommendations.
On May 11th, at 2 PM Eastern Time. The Cybersecurity and Infrastructure Security Agency (CISA) co-hosted a webinar to explore how prioritizing cybersecurity hygiene can enhance your business and how understanding CISA Cyber Essentials can help. Learn more at Cybersecurity: How’s Your Hygiene? - Stay Safe Online.