Trickbot, a banking malware has resurged again with new phishing campaigns and attacks after the collaboration of cybersecurity and technology companies disrupted the Trickbot malware in October last year. Trickbot malware evolved into a highly favorable form of malware among threat actors after starting life as a banking trojan.
Trickbot is a banking malware that sends victims banking-related website pages that almost look identical to the original thing. Trickbot is a replication of older malware Dyre/Dyreza and is also dispersed via malicious spam including HTML attachments. These HTML files download a Word document posing as a login form, in reality, it is embedded with a malicious macro that restores Trickbot from the threat actors’ command and control (C&C) server when permitted.
Microsoft targeted the infamous Trickbot malware last year due to its ability to possess ransomware that could pose a threat to the websites that display election information or to third party software dealers that supply resources to election officials. Trickbot can steal information, keys, and credentials and give backdoor access for transporting other malware, including ransomware.
Threat actors are specifically targeting legal and insurance companies in North America and sending phishing emails to the potential targets and tricking them to click on a link that will transfer them to a server that downloads a malicious payload.
Vinay Pidathala, director of security research at Menlo Security stated that “where there’s a will, there’s a way. That proverb certainly holds true for the bad actors behind Trickbot operations. While Microsoft and its partners’ actions were commendable and Trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment”.
UK’s National Cyber Security Centre (NCSC) issued the advisory that companies should patch the security vulnerabilities and should run on the latest versions of operating system and software.