April 15, 2021 By David Bisson 2 min read

Digital attackers launched a new phishing scheme using fake traffic violations to infect victims with Trickbot.

With the prospect of a traffic violation, some people would be scared into opening an attack email. In the aftermath of a successful Trickbot malware infection, the attackers then could load other malware, such as Conti ransomware onto a victim’s computer.

Read on to learn how to spot and defend against this attack.

Malicious JavaScript Hidden in Fake Photo Proof

In mid-March, the U.S. Cybersecurity and Infrastructure Security Agency, along with the FBI,  announced that attackers using Trickbot had begun using fake traffic violations in order to steal sensitive information from their victims.

The attack began when someone received a malicious email containing a link. Clicking on that link sent the victim to a website with a link to supposed ‘proof’ of their traffic violation. This ‘proof’ downloaded a malicious JavaScript file that established a connection with a command-and-control (C&C) server run by the attackers.

Next, the C&C connection served as a conduit for Trickbot to infect the victim’s machine. From there, it stole their login credentials by using man-in-the-middle attacks. The malware also arrived with the ability to spread across an affected network in order to infect other machines.

Trickbot: The Comeback Kid

In mid-October, Microsoft announced that it had succeeded in disrupting Trickbot with the help of telecommunications providers around the world.

This takedown didn’t stop it in the long run, however. A researcher tweeted out the following in November:

2020-11-17:🆕🔥#TrickBot Banker #Malware | 🥳 100th built ➡️ “1101” cfg: 1⃣”Memory DLL loading code” (Github Copy/Paste) 2⃣Interesting Loader Process (Doppel)|Hollowing Injection via legitimate wermgr.exe w/ CreateProcessInternalW 🛡️Stay protected / 🔎 for wermgr process inj pic.twitter.com/Pq7hWP4MZ6 — Vitali Kremez (@VK_Intel) November 17, 2020

He discovered the 100th variant of the malware strain about a month after the supposed takedown. A few weeks after that, a new type dubbed ‘TrickBoot’ emerged where the attackers checked a machine for vulnerabilities in order to interact with the device’s UEFI/BIOS firmware. That version of Trickbot also included a novel persistence mechanism.

Trickbot was sometimes deployed as a second-stage payload with the infamous Emotet malware. In part because of the updates to it, as well as due to the Emotet takedown, Check Point named Trickbot No. 1 on its most wanted malware list in March 2021.

How to Defend Against the Latest Trickbot Attack

This attack campaign shows the need for businesses to defend against phishing attacks carrying Trickbot and other digital threats.

Toward that end, invest in a security awareness training program. This will help employees understand the latest email-borne attacks. Consider adding awareness training into the on-boarding process so that new employees know how to interact with the help desk — and report potential threats — from the moment they join.

Organizations also need to implement technical controls that will complement their human controls. These can include setting up banners to warn employees of when an email message came from the outside or forbidding launching macros from an email attachment. In addition, it could include flagging emails that come from disallowed domains. By using these defenses and others, you’re more likely to spot potential attacks on business accounts like Trickbot.

More from News

DHS awards significant grant to improve tribal cybersecurity

4 min read - The Department of Homeland Security (DHS) has awarded $18.2 million in grants through the Tribal Cybersecurity Grant Program to boost cybersecurity defenses among Native American Indian Tribes. The program takes a big step in addressing the unique digital threats faced by tribal communities — a dedicated effort to improve cybersecurity infrastructure across these regions. The $18.2 million grant is just one component of DHS's broader strategy to enhance national cybersecurity. Administered by the Federal Emergency Management Agency (FEMA) in partnership…

ONCD releases request for information: Open-source software security

3 min read - Open-source software is a collective partnership across the development community that requires both private and public buy-in. However, securing open-source software can be tricky. With so many different people working on the coding, security measures are often overlooked, increasing the chances that a vulnerability will fall through the cracks and be exploited. The Open-Source Software Security Initiative (OS31) aims to provide governance over open-source security processes. After the Log4Shell vulnerability, securing open-source software became a top priority for the federal…

3,000 “ghost accounts” on GitHub spreading malware

3 min read - In the past, cyber criminals directly distributed malware on GitHub using encrypted scripting code or malicious executables. But now threat actors are turning to a new tactic to spread malware: creating ghost accounts. A highly effective malware campaign Check Point Research recently exposed a new distribution-as-a-service (DaaS) network, referred to as the Stargazers Ghost Network, that has been spreading malware on GitHub for at least a year. Because the accounts perform typical activities as well, users did not realize that…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today