TrickBot – Malware of the Month, August 2019
With damages racking up an average of $3.86 million per data breach, cybersecurity is a top business priority for organizations worldwide. The mindset of “prevention is better than infection” is the best defense against the seemingly inexhaustible lineup of malware attacks. In this series we profile a malware every month with pointers to secure your organization against it. Past Malware deep-dives have included Stegware aka Steganography, Invisible aka Fileless Malware, and Emotet. In this blog, we discuss TrickBot: a malware similar to Emotet and just as deadly.
What is TrickBot Malware?
TrickBot, at its root, is a form of Trojan malware. Like its namesake, malware of this type cleverly disguises its true intent. It is grabbing headlines after researchers realized that it has been stealthily compromising 250 million email accounts since 2016. What is dangerous about TrickBot is that it is constantly evolving with increasingly potent attacks.
How does TrickBot Attack?
- SpearPhishing: The malware is typically distributed via infected attachments or malicious URLs via spear-phishing. Spear-phishing refers to malicious emails that specifically target senior-level executives.
- Network Vulnerabilities: TrickBot propagates virally through the organization’s network by exploiting the Server Message Block (SMB) Protocol that allows Windows computers to disseminate information to other systems on the same network.
- Secondary payload: TrickBot is also a secondary infection dropped by the other powerful Trojan Malware – Emotet.
Over the past 3 years, TrickBot has spawned numerous inventive variants. Trojan.TrickBot installs itself with various attack modules accompanied by a configuration file.
- Persistence Module: TrickBot remains undetected by the endpoint user, and gains persistence by furtively creating a Scheduled Task.
- Open Redirection and Server Side Injection: TrickBot takes advantage of vulnerabilities such as open redirections and server side injections to steal login information from a user’s banking session. Using it, TrickBot can harvest financial information and defraud its victims.
- Cookie Stealing: TrickBot’s cookie stealing module gleans valuable user data such as the login state, website preferences, personalized content, etc.
- Remote Application Stealing: TrickBot added to its repertoire with a module to harvest remote desktop application credentials, enabling it to infect a host of applications.
- Viral Distribution: A new TrickBot module called TrickBooster uses infected computers to send spam emails, thus increasing the chances of them being opened as they are sent from trusted accounts. This is why TrickBot has a database of over 250 million email accounts and counting.
Securing against TrickBot
With ever-evolving malware types such as TrickBot, a multi-pronged approach to security is your best protection.
- Educate: As the main vector is malspam, educate employees across levels about the dangers of phishing and spear-phishing. Publicize an org-wide policy regarding email security hygiene.
- Update: Ensure that antivirus programs are auto-updated and the latest patches are regularly installed on all clients and servers in the network.
- Monitor: Use filters at email gateways to sniff out malicious emails. Monitor the network for suspicious changes in traffic or attempts to communicate with blacklisted IPs and domains,
- Restrict Access: Disable macros, disallow external application downloads and non-whitelisted URLs from being accessed.
Finally, it is always best to have a Plan B in place. In the event that any kind of malware attack should happen, a reliable backup and recovery solution will allow you to retrieve your data quickly and accurately with minimal impact to business continuity.