Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label TrickBot trojan. Show all posts

What TrickBot Tells Us About The Future of Malware

 

Malware is quickly evolving and operating at increasingly advanced levels of infectiousness and evasiveness. In the present cyberspace landscape, malicious groups possess highly advanced skilled developers, decentralized, corporate-like operations, and partnerships with other cybercriminal groups that provide them worldwide access which means more victims, and more backup plans. 

TrickBot gang is one such example of popular malware that is hitting world organizations constantly, as per the observations made by IBM Security X-Force over the years. Recently, IBM Security X-Force published its year’s Threat Intelligence Index, in which it was noted that TrickBot was one of 2021’s most active threat groups, also known as ITG23, and Wizard Spider. 

TrickBot is a recognized banking Trojan that victimizes businesses and consumers for their data, such as banking information, personally identifiable information (PII), account credentials, and bitcoins data. 

It has been observed by The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) that continued targeting by spearphishing campaigns employing TrickBot are taking place in North America. Reportedly, an advanced cybercriminals group is luring victims, via phishing emails, with a traffic breach phishing scheme to download TrickBot. 

Additionally, what makes ITG23 more acute and resilient to disruptions and shutdowns is its highly modular malware, it can adapt to any network it finds itself in. Also, the group has the collective shares infrastructure, and support functions, IT teams, recruiters, and even human resources to make things easier for them. 

Originally discovered in 2016, TrickBot was an online banking fraud Trojan that surfaced with other Trojans namely Qakbot, Dridex Zeus, and Gozi. However, ITG23 soon expanded its operations as follows:

• Stealing credentials, data, and personal information 
• Installing backdoors within the network to enable remote access 
• Elevating account privileges to expand access to the compromised network 
• Disabling antivirus tools or other cybersecurity measures, such as Windows Defender 
• Modifying itself to avoid detection  
• Downloading and installing other malware or ransomware to carry out secondary attacks, the most common of which involve Ryuk or Conti ransomware 

In the report, the IBM Security X-Force has observed some defenses to spot malware and lateral movement to safeguard networks from malware attacks and these defenses include behavioral-based antimalware detection, intrusion detection, prevention solutions (IDPs), endpoint detection and response (EDR), and a security information and event management (SIEM) system.

A Worldwide Fraud Campaign Used Targeted Links to Rob Millions of Dollars

 

Infrastructure overlaps tied to the TrickBot botnet can be seen in large-scale phishing activity employing hundreds of domains to steal information for Naver, a Google-like web platform in South Korea. The resources employed in this assault demonstrate the magnitude of the cybercriminal effort to gather login data to carry out attacks. 

Naver, like Google, offers a wide range of services, including web search, email, news, and the NAVER Knowledge iN online Q&A platform. Its credentials, in addition to granting access to regular user accounts, can also grant access to enterprise environments due to password reuse. 

Earlier this year, security researchers from cyber intelligence firm Prevailion began its inquiry using a domain name shared by Joe Sowik, mailmangecorp[.]us, which led to a "vast network of targeted phishing infrastructure designed to gather valid login credentials for Naver." Additionally, PACT analysts discovered similarities with the WIZARD SPIDER [a.k.a. TrickBot] network while researching the hosting infrastructure utilized to serve the Naver-themed phishing pages. 

The fraudsters enticed victims with phoney surveys and incentives purporting to be from well-known brands, the lure was meant to help the criminals steal victims' personal information and credit card information. Tens of millions of people in 91 countries, including the United States, Canada, South Korea, and Italy, were shown to have been targeted by the scammers.

To entice potential victims, the cybercriminals sent out invitations to participate in a survey, along with the promise of a prize if they completed it. Advertising on both legitimate and illegitimate websites, contextual advertising, SMS and email messages, and pop-up notifications were all used in the campaign. To develop trust with the victims, lookalike domains modeled after authentic ones were registered. 542 unique domains were linked to the operation, 532 of which were utilized for Naver-themed phishing. Authorities found the operator would register a group of web addresses linked to a single IP address using an email address.

According to the researchers, two Cobalt Strike beacon variants on Virus Total were linked to 23.81.246[.]131 as part of a campaign that used CVE-2021-40444 to spread Conti ransomware, a typical TrickBot payload. The end page's content is as personalized as possible to the victim's interests, with the customized link only accessible once, making detection significantly more difficult and enabling the scheme to last longer. 

The victim is also informed to be eligible for a prize and one must supply personal information such as one's complete name, email and physical addresses, phone number, and credit card information, including expiration date and CVV for the same. Prevalion believes one explanation that justifies the conclusions is cybercriminals should use an "infrastructure-as-a-service" model for their operations.

Alleged TrickBot Gang Member Arrested While Leaving South Korea




A Russian native – on accusations of being associated with the TrickBot cybercrime gang – was recently arrested by the authorities at Seoul International airport, while trying to leave South Korea. 

Reportedly, the Russian resident – identified as Mr. A by media –  was leaving for his home in Russia after waiting for over a year in the South Asian country. As per local media reports (Seoul's KBS) the alleged individual was prevented from leaving South Korea due to COVID-19 travel restrictions – international travel had been canceled by Seoul officials as the global pandemic broke out. Subsequently, Mr. A's passport expired, and he was stranded in South Korea as he waited to renew his passport. 

The Russian man who allegedly worked as a web browser developed for the malware spreading TrickBot gang in 2016 during his stay in Russia, denied 'being aware' of working for a cybercrime group. “When developing the software, the user manual did not identify malware,” said the individual at Seoul High Court. 

As per a Korean newspaper, on September 01, an interrogation was held at the 20th Criminal Division of the Seoul High Court – for the extradition request case against the alleged developer of the malware. While fighting the US extradition attempt, the lawyer of the accused argued that the US will prosecute the man unjustly. "If you send it to the United States, it will be very difficult to exercise your right of defense and there is a good chance that you will be subject to excessive penalties,” claimed the attorney. 

As per the reports, the suspect continued to maintain that the operation manual did not fall under malicious software when he developed the software. He received work from TrickBot via a job search site, following which he developed a web browser for the gang, according to The Record. Notably, the recruiters preferred applicants who did not ask a lot of questions. 

TrickBot is an advanced banking trojan that targets Windows machines. Initially created to steal the banking information of unsuspecting users, TrickBot has evolved over the last five years to be versatile, widely available, and easy to use. With new variants being increasingly released, TrickBot infections have become more frequent on home office networks; continuous advancement since its inception has cemented TrickBot's reputation as a highly adaptive modular malware.

BazarBackdoor Campaigns in Attempts to Avoid Detection

 

In two recent projects, threat actors using BazarBackdoor used an unusual combination of lures, tactics, and networks to target corporate customers. Threat perpetrators use the victims' own initiative to get through security barriers and reach a consensus in these initiatives. These methods may also be used to combat phishing awareness training. 

BazarBackdoor is a modern malware that has the potential to infect machines and run a variety of malicious programmes. It is thought to have been developed by the same people who created the TrickBot Trojan, a banking Trojan that infects Windows computers. This is due to the fact that BazarBackdoor shares coding and other characteristics with the TrickBot Trojan. 

Threat actors using the BazarBackdoor ransomware have been playing with roundabout ways to get consumers to self-infect, according to a blog post published this week by Cofense. A fake invoice was used in one campaign, with a reference to a malicious website but no direct link to it. Instead, the attackers hope that users can type or paste the URL into their browsers. A second campaign involved a phone number that, when dialed, connects the customer to a phony business official that would attempt to persuade them to access an attacker-controlled website. 

“The notable part about this is that we don’t usually see this sort of thing,” said Joseph Gallop, an intelligence analysis manager at Cofense, in an interview with SC Media. “Usually, threat actors try to make the path to compromise as simple as they can for the victim to follow.”

“There is an increase in fileless, linkless attacks that are engineered toward luring users to do something they are not supposed to do outside of the scope of clicking on links or opening attachments,” said Ironscales CEO Eyal Benishti. “Most of these attacks are BEC attacks, impersonating a known internal or external sender trying to lure users into wiring money, paying fake invoices, changing bank account details records, buying gift cards or other goods, and the defenders’ challenge now is to detect and block communications with malicious intent and not necessarily malicious content.” 

The circuitous road to infection used by the BazarBackdoor campaigns depends on the victim's willingness to put in a little extra effort, but there's a tactic behind this risk: According to the Cofense report, “More and more, corporate network users are being conditioned to recognize malicious links and attachments." Thus, “the absence of apparently malicious links and attachments may lull potential recipients into complacency. Failure to recognize the roundabout engagement tactics at play here could result in a compromise going unnoticed.”

Modified TrickBot Trojan can now Steal Windows Active Directory Credentials


TrickBot trojan, a strain of malware that has been around affecting users since 2016 - is now evolved to steal Windows Active Directory credentials. Today, in the cybersecurity ecosystem it is considered as one of the top threats abusing businesses, experts estimate that TrickBot is responsible for compromising more than 250 million email accounts till date. Earlier, TrickBot went a step further while targeting Windows 10 users by disabling Windows defender onto their systems rather than just bypassing the protection. Fundamentally, TrickBot is a banking Trojan and is generally deployed through spearphishing emails like invoices mailed to the accounts department. Typically, it is attached as infected Microsoft Excel or Word documents. The malware can be spread across an organization in a number of ways, one of them is via exploiting vulnerabilities in a protocol called SMB which makes the process of sharing and accessing files on other systems easy for Windows computers.

First identified by Sandor Nemes, a security researcher from Virus Total, this new module of TrickBot dubbed as "ADII" further amplifies the threat it possesses for security, it steals Windows Active Directory information by executing a set of commands.

An Active Directory database is being created and stored into the default C:\Windows\NTDS folder on the domain controller, a server here is acting as the domain controller. Now, all the information including passwords, computers, users, and groups of Windows Active Directory are saved in a file by the name "ntds.dit" in the database. As all the aforementioned information is sensitive in nature, Windows resort to a BootKey that is located in the system component of the Registry and encrypts the information with the help of it. Admins who are responsible for database maintenance use a special tool known as "ntdsutil" to work with that database. Reportedly, standard file operations cannot access the BootKey.

How TrickBot Goes About Stealing Active Directory Credentials?


Administrators use the command "install from media", also known as "ifm", to create a dump of Active Directory. The command leads to the creation of an installation media for setting up new Domain Controllers. The new module "ADII" exploits the ifm command to produce a copy of the Windows Active Directory database; after the database is dumped into the %Temp% folder, the bot collects the information and transfers it to the admin. The collected data can be effective in infecting more systems in the same network and could also be employed by various other malware in search of similar vulnerabilities.

TrickBot Added New Stealthy Backdoor for High-Value Targets



The authors behind the infamous TrickBot malware – a modular banking trojan that targets sensitive financial information and also acts as a dropper for other malware–have developed a stealthy custom backdoor, circulating by the name 'PowerTrick', to monitor high-value targets and infiltrate them accordingly.

Statistics demonstrate that TrickBot is one of the top crimeware codes and cyberattack groups in existence currently. Developers behind TrickBot have made frequent upgradations in order to evade detection even fluently, empower its stealth, make it hard to research and let it bypass security configurations on user devices.

PowerTrick has been primarily created as an attempt to keep up with the fast paced era of constantly evolving defense mechanisms by effectively bypassing some of the most sophisticated security controls and highly secured networks of high value. Referencing from the statements given by SentinelLabs security researchers, Vitali Kremez, Joshua Platt and Jason Reaves on Thursday, "The end-goal of the PowerTrick backdoor and its approach is to bypass restrictions and security controls to adapt to the new age of security controls and exploit the most protected and secure air-gapped high-value networks."

According to the analysis, PowerTrick is configured to carry out commands and send back the results in the Base64 format. It is injected as a follow-up module after the victim's system has been infected by the TrickBot.

How does it work?

During the examinations, researchers discovered an initial backdoor script being sent out, at times draped as a Powershell task, it goes on to establish contact with command-and-control (C2) server. Once the contact has been successfully established, the authors send their very first command which leads to the downloading of the main PowerTrick backdoor. After the installation of the same, the malware starts executing common backdoor functions, it carries out check-in and then awaits further commands to act upon. Once received, it acts upon these commands and returns the results/errors.

“Once the system and network have been profiled, the actors either stealthily clean up and move on to a different target of choice, or perform lateral movement inside the environment to high-value systems such as financial gateways,” as per the SentinelLab analysis.

"TrickBot has shifted focus to enterprise environments over the years to incorporate many techniques from network profiling, mass data collection, incorporation of lateral traversal exploits,” researchers concluded.

“This focus shift is also prevalent in their incorporation of malware and techniques in their tertiary deliveries that are targeting enterprise environments, it is similar to a company where the focus will shift depending on what generates the best revenue.”

Alert! TrickBot Trojan and Ryuk Ransomware spreads through Japan, as the holiday season approaches


The most dangerous and active banking trojan family according to IBM X-Force data, TrickBot has been modifying it's malware’s modules lately, as the threat group launches in the wild. As the infection campaign spreads around the globe - Japan has become its new growing target ahead of the holiday season. Just ahead of the holiday's TrickBot campaigns usually target European and western countries and other parts of the world but this is the first time they have focused on Japan.


And also, just in time for the holidays when they'll be shopping extensively. Thus, the Japanese consumers should be wary of these infections as they target banks, online shopping payment cards, telecommerce, a bitcoin exchange, e-wallets, and others. TrickBot has been loaded with hundreds of targeted URLs belonging to banks and other retailers. Emotet botnet is also dropping TrickBot to other devices.

The most common attack includes web injections on bank websites leading to banking frauds. On-the-fly injections, used by TrickBot lures the victim into revealing personally identifiable information (PII), payment card details and PIN codes. This is not the first time Eastern European gangs attacked the country, other trojans like URLZone and Gozi (Ursnif) have been prevalent in Japan for years now. For Japanese Businessmen - Beware! Not only TrickBot but Ryuk Ransomware is also spreading through the region TrickBot, being already a worrisome banking plague is not only limited to that.

The Japanese companies should also be wary of the growing ransomware attacks because the TrickBot can usher in Ryuk Ransomware Attacks along with it. It's a kill chain that starts with Emotet and TrickBot and leads to Ryuk attack, ransomware that locks the system demanding millions of dollars. If such Ryuk or TrickBot attack is suspected, then you should immediately launch response plans and contain the infection or contact security companies without wasting precious time as these infections spread fast and wide.