TrickBot Operators Now Use ‘Traffic Violations’ to Spear-Phish Unsuspecting Victims

The Cybersecurity & Infrastructure Security Agency (CISA) and the FBI have released a Joint Cybersecurity Advisory on TrickBot warning that a sophisticated group of cyber actors are sending phishing emails claiming to contain proof of traffic violations to lure victims into downloading the insidious malware.

TrickBot is a modular, multi-stage Trojan that packs a full array of tools to wage cyber-attacks. The malware is notorious among cybercriminals because, apart from its primary purpose of collecting sensitive data and harvesting credentials from victims, it packs features designed to move laterally across compromised networks and infect other machines. This ability makes TrickBot highly resilient to cleanups, letting ransomware operators establish persistence on the targeted infrastructure and deliver payloads on high-value targets.

TrickBot’s operations were partially disrupted in the second half of 2020, but the two agencies have spotted renewed efforts from “sophisticated” threat actors leveraging the malware.

CISA and the FBI say they’ve observed “continued targeting through spearphishing campaigns using TrickBot malware in North America,” noting that a “sophisticated” group of hackers is luring victims with a traffic infringement phishing scheme to download the Trojan.

“CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation, to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s command and control (C2) server to download TrickBot to the victim’s system.”

Attackers typically use TrickBot to drop other malware, such as Ryuk and Conti ransomware, or serve as an Emotet downloader.

Alert (AA21-076A) offers granular technical details about the use of enterprise techniques to establish initial access, gain persistence, escalate privileges, evade defenses, call back to the command & control center and exfiltrate data.

MITRE ATT&CK Techniques are also described, alongside a list of snort signatures for use in detecting network activity associated with TrickBot attacks.

To secure against TrickBot, CISA and FBI recommend implementing the mitigation measures described in the advisory, which include blocking suspicious IP addresses, using antivirus software, and providing social engineering and phishing training to employees.