Digital attackers launched a new phishing scheme using fake traffic violations to infect victims with Trickbot.

With the prospect of a traffic violation, some people would be scared into opening an attack email. In the aftermath of a successful Trickbot malware infection, the attackers then could load other malware, such as Conti ransomware onto a victim’s computer.

Read on to learn how to spot and defend against this attack.

Malicious JavaScript Hidden in Fake Photo Proof

In mid-March, the U.S. Cybersecurity and Infrastructure Security Agency, along with the FBI,  announced that attackers using Trickbot had begun using fake traffic violations in order to steal sensitive information from their victims.

The attack began when someone received a malicious email containing a link. Clicking on that link sent the victim to a website with a link to supposed ‘proof’ of their traffic violation. This ‘proof’ downloaded a malicious JavaScript file that established a connection with a command-and-control (C&C) server run by the attackers.

Next, the C&C connection served as a conduit for Trickbot to infect the victim’s machine. From there, it stole their login credentials by using man-in-the-middle attacks. The malware also arrived with the ability to spread across an affected network in order to infect other machines.

Trickbot: The Comeback Kid

In mid-October, Microsoft announced that it had succeeded in disrupting Trickbot with the help of telecommunications providers around the world.

This takedown didn’t stop it in the long run, however. A researcher tweeted out the following in November:

2020-11-17:🆕🔥#TrickBot Banker #Malware | 🥳 100th built ➡️ “1101” cfg: 1⃣”Memory DLL loading code” (Github Copy/Paste) 2⃣Interesting Loader Process (Doppel)|Hollowing Injection via legitimate wermgr.exe w/ CreateProcessInternalW 🛡️Stay protected / 🔎 for wermgr process inj — Vitali Kremez (@VK_Intel) November 17, 2020

He discovered the 100th variant of the malware strain about a month after the supposed takedown. A few weeks after that, a new type dubbed ‘TrickBoot’ emerged where the attackers checked a machine for vulnerabilities in order to interact with the device’s UEFI/BIOS firmware. That version of Trickbot also included a novel persistence mechanism.

Trickbot was sometimes deployed as a second-stage payload with the infamous Emotet malware. In part because of the updates to it, as well as due to the Emotet takedown, Check Point named Trickbot No. 1 on its most wanted malware list in March 2021.

How to Defend Against the Latest Trickbot Attack

This attack campaign shows the need for businesses to defend against phishing attacks carrying Trickbot and other digital threats.

Toward that end, invest in a security awareness training program. This will help employees understand the latest email-borne attacks. Consider adding awareness training into the on-boarding process so that new employees know how to interact with the help desk — and report potential threats — from the moment they join.

Organizations also need to implement technical controls that will complement their human controls. These can include setting up banners to warn employees of when an email message came from the outside or forbidding launching macros from an email attachment. In addition, it could include flagging emails that come from disallowed domains. By using these defenses and others, you’re more likely to spot potential attacks on business accounts like Trickbot.

More from News

More School Closings Coast-to-Coast Due to Ransomware

Instead of snow days, students now get cyber days off. Cyberattacks are affecting school districts of all sizes from coast-to-coast. Some schools even completely shut down due to the attacks. The federal government recently warned that K-12 schools face a growing threat from cyber groups. According to the FBI, school districts often have limited cybersecurity protections, which makes them even more vulnerable. The FBI also says it anticipates the number of threats to increase. In a recent warning, the nation’s…

Hackers are Increasingly Targeting Auto Dealers

Auto dealerships are increasingly concerned with cybersecurity in the face of new regulations and an alarming rise in cyberattacks. The Second Annual Global State of Cybersecurity Report by CDK Global found that 85% of dealerships say cybersecurity is very or extremely important relative to other operational areas. Additionally, 89% say cybersecurity is more important than last year, a 12% increase. Not surprisingly, only 37% of auto retailers are confident in the current protection, which is a 21% decrease from 2021.…

LastPass Breaches Cast Doubt on Password Manager Safety

In 2022, LastPass suffered a string of security breaches which sparked concern among cyber professionals and those impacted by the intrusions. Some called into question the way LastPass handled and responded to the incident. In addition, the situation ignited a wider conversation about the risks linked to utilizing password managers. A password manager helps users generate strong passwords and safeguards them within a digital locker. A master password secures all data, which enables users to conveniently access all their passwords…

Good Guys Decrypt Ransomware Targeting Charitable Groups

Imagine you’re an IT manager amid a ransomware attack. While your team scrambles for solutions, the intruders demand a ransom. Of course, you don’t want to pay; you just want your files back. But as time ticks by and the extortionists turn up the heat, your bosses are about to give in and pay the ransom. But then, the FBI calls. “Don’t pay,” the agent says. “We’ve found someone who can crack the encryption.” Sound too good to be true?…