Digital attackers launched a new phishing scheme using fake traffic violations to infect victims with Trickbot.
With the prospect of a traffic violation, some people would be scared into opening an attack email. In the aftermath of a successful Trickbot malware infection, the attackers then could load other malware, such as Conti ransomware onto a victim’s computer.
Read on to learn how to spot and defend against this attack.
Malicious JavaScript Hidden in Fake Photo Proof
In mid-March, the U.S. Cybersecurity and Infrastructure Security Agency, along with the FBI, announced that attackers using Trickbot had begun using fake traffic violations in order to steal sensitive information from their victims.
The attack began when someone received a malicious email containing a link. Clicking on that link sent the victim to a website with a link to supposed ‘proof’ of their traffic violation. This ‘proof’ downloaded a malicious JavaScript file that established a connection with a command-and-control (C&C) server run by the attackers.
Next, the C&C connection served as a conduit for Trickbot to infect the victim’s machine. From there, it stole their login credentials by using man-in-the-middle attacks. The malware also arrived with the ability to spread across an affected network in order to infect other machines.
Trickbot: The Comeback Kid
In mid-October, Microsoft announced that it had succeeded in disrupting Trickbot with the help of telecommunications providers around the world.
This takedown didn’t stop it in the long run, however. A researcher tweeted out the following in November:
2020-11-17:🆕🔥#TrickBot Banker #Malware | 🥳 100th built ➡️ “1101”
cfg:
1⃣”Memory DLL loading code” (Github Copy/Paste)
2⃣Interesting Loader Process (Doppel)|Hollowing Injection via legitimate wermgr.exe w/ CreateProcessInternalW
🛡️Stay protected / 🔎 for wermgr process inj pic.twitter.com/Pq7hWP4MZ6
— Vitali Kremez (@VK_Intel) November 17, 2020
He discovered the 100th variant of the malware strain about a month after the supposed takedown. A few weeks after that, a new type dubbed ‘TrickBoot’ emerged where the attackers checked a machine for vulnerabilities in order to interact with the device’s UEFI/BIOS firmware. That version of Trickbot also included a novel persistence mechanism.
Trickbot was sometimes deployed as a second-stage payload with the infamous Emotet malware. In part because of the updates to it, as well as due to the Emotet takedown, Check Point named Trickbot No. 1 on its most wanted malware list in March 2021.
How to Defend Against the Latest Trickbot Attack
This attack campaign shows the need for businesses to defend against phishing attacks carrying Trickbot and other digital threats.
Toward that end, invest in a security awareness training program. This will help employees understand the latest email-borne attacks. Consider adding awareness training into the on-boarding process so that new employees know how to interact with the help desk — and report potential threats — from the moment they join.
Organizations also need to implement technical controls that will complement their human controls. These can include setting up banners to warn employees of when an email message came from the outside or forbidding launching macros from an email attachment. In addition, it could include flagging emails that come from disallowed domains. By using these defenses and others, you’re more likely to spot potential attacks on business accounts like Trickbot.