Cybersecurity professionals have to deal with the increasing threat of Trickbot malware.
The malware uses phishing attacks and web injections to target 60 large tech companies’ customers by accessing their personal information and login credentials.
Together with other simple malware such as Dridex, Agent Tesla, DanaBot, and Zeus, Trickbot started as a non-threatening bank trojan.
The carrying out of a major police operation and the 2016 elimination of the Dyre botnet led to the malware’s way more attention.
The international operation led by Europol and the FBI played the role of getting rid of the infrastructure supporting the Emotet Bonnet.
The malware is prevalent among criminals because it can tailor its attacks. Trickbot also can perform many different attacks due to its modular nature.
A recent Check Point Research study shows that many hackers use Trickbot to target organizations. The study indicated how the malware had become an issue for 60 large corporations, most based in the United States.
The malware’s operators do not intend to attack the company directly. Instead, they use Trickbot to leverage the reputations and names of the brands.
Among the brands that Trickbot is targeting, according to the study, are Wells Fargo, Bank of America, Amazon, PayPal, and American Express. Others include RobinHood, Blockchain.com, and the Navy Federal Credit Union.
Firms that the study concluded the Trickbot malware attack belonged to the cryptocurrency, financial firms, and technology industry.
Modules that Trickbot Uses to Steal Victim’s Information
Though the Trickbot can use up to 20 modules, the study discovered three that it paid attention to over the rest.
The three modules caused some of the most straightforward issues to the PCs and affected how the users operated their systems.
These three modules are:
- InjectDII using web injection features.
- TabDLL uses a five-step process.
- Pwgrabc that steals personal credentials.
The study provided the technical details on these three modules to prevent analysis and reverse engineering.
The first module, injectDII, has web injection features that affect a browser session for a user.
The thieves do this by redirecting the users to a counterfeit page they believe one of the large corporations owns.
To prevent detection, the format for injection uses an obfuscated payload.
The second module, TabDLL, has five different steps of stealing a victim’s information.:
- Opening up the LSASS application for the storage of the stolen data.
- Injecting the code into explorer.exe.
- Forcing users to enter their details then locking them out of the session.
- Using MIMIKATZ, the module steals the victim’s credentials from LSASS.
- The module then transports the credentials to the attacker’s command-and-control center.
The module also implores EternalRomance for exploiting and spreading the malware across SMBv1 networks.
The pwgrabc is another module that affects how the malware spreads.
The module steals victims’ credentials from the specific applications that store them, such as Chrome, Firefox, and Internet Explorer.
Login credentials are the most common information this module stole, ensuring the bot can spread without restrictions.
The dangers of the Trickbot are apparent, and researchers have stated they will continue to monitor how it affects users.
Researchers opine that although the Trickbot’s effect is still under investigation, the creation process will not waste.
They argue that users can instill the skill and technology in the future if users can put the bot to better use.
An IBM research study shows that new variants of the Trickbot malware affect computers.
The variants contain specific features that block the researchers as they aim to use reverse engineering to analyze the malware.
Trickbot is most likely to enter into a loop in the code beautification process. Beautification of the code involves cleaning it up for easier readability and analysis.