The Cybersecurity & Infrastructure Security Agency (CISA) and the FBI have released a Joint Cybersecurity Advisory on TrickBot warning that a sophisticated group of cyber actors are sending phishing emails claiming to contain proof of traffic violations to lure victims into downloading the insidious malware.
TrickBot is a modular, multi-stage Trojan that packs a full array of tools to wage cyber-attacks. The malware is notorious among cybercriminals because, apart from its primary purpose of collecting sensitive data and harvesting credentials from victims, it packs features designed to move laterally across compromised networks and infect other machines. This ability makes TrickBot highly resilient to cleanups, letting ransomware operators establish persistence on the targeted infrastructure and deliver payloads on high-value targets.
TrickBot’s operations were partially disrupted in the second half of 2020, but the two agencies have spotted renewed efforts from “sophisticated” threat actors leveraging the malware.
CISA and the FBI say they’ve observed “continued targeting through spearphishing campaigns using TrickBot malware in North America,” noting that a “sophisticated” group of hackers is luring victims with a traffic infringement phishing scheme to download the Trojan.
Attackers typically use TrickBot to drop other malware, such as Ryuk and Conti ransomware, or serve as an Emotet downloader.
Alert (AA21-076A) offers granular technical details about the use of enterprise techniques to establish initial access, gain persistence, escalate privileges, evade defenses, call back to the command & control center and exfiltrate data.
MITRE ATT&CK Techniques are also described, alongside a list of snort signatures for use in detecting network activity associated with TrickBot attacks.
To secure against TrickBot, CISA and FBI recommend implementing the mitigation measures described in the advisory, which include blocking suspicious IP addresses, using antivirus software, and providing social engineering and phishing training to employees.