The operators of TrickBot malware have infected an estimated 140,000 victims across 149 countries a little over a year after attempts were to dismantle its infrastructure, even as the advanced Trojan is fast becoming an entry point for Emotet, another botnet that was taken down at the start of 2021.
Most of the victims detected since November 1, 2020, are from Portugal (18%), the U.S. (14%), and India (5%), followed by Brazil (4%), Turkey (3%), Russia (3%), and China (3%), Check Point Research noted in a report shared with The Hacker News, with government, finance, and manufacturing entities emerging the top affected industry verticals.
"Emotet is a strong indicator of future ransomware attacks, as the malware provides ransomware gangs a backdoor into compromised machines," said the researchers, who detected 223 different Trickbot campaigns over the course of the last six months.
Both TrickBot and Emotet are botnets, which are a network of internet-connected devices infected by malware and can be tasked to conduct an array of malicious activities. TrickBot originated as a C++ banking Trojan and as a successor of Dyre malware in 2016, featuring capabilities to steal financial details, account credentials and other sensitive information; laterally spread across a network; and drop additional payloads, including Conti, Diavol, and Ryuk ransomware strains.
Disseminated via malspam campaigns or previously dropped by other malware like Emotet, TrickBot is believed to be the handiwork of a Russia-based group called Wizard Spider and has since extended its capabilities to create a complete modular malware ecosystem, making it an adaptable and evolving threat, not to mention an attractive tool for conducting a myriad of illegal cyber activities.
The botnet also caught the attention of government and private entities late last year, when the U.S. Cyber Command and a group of private sector partners spearheaded by Microsoft, ESET, and Symantec acted to blunt TrickBot's reach and prevent the adversary from purchasing or leasing servers for command-and-control operations.
Emotet comes back with new tricks
But these actions have only been temporary setbacks, with the malware authors rolling out updates to the botnet code that have made it more resilient and suitable for mounting further attacks. What's more, TrickBot infections in November and December have also propelled a surge in Emotet malware on compromised machines, signaling a revival of the infamous botnet after a gap of 10 months following a coordinated law enforcement effort to disrupt its spread.
Intel 471 in an independent analysis of the new Emotet samples said it discovered "distinct differences, including the encryption used for communication, additional commands and reconfigurations in several pieces of the communication protocol," adding "Further investigation into Emotet's keys and IP buffers also revealed two separate botnets are being used to distribute the malware."
"Emotet could not choose a better platform than Trickbot as a delivery service when it came to its rebirth," the researchers noted.
Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!Save My Seat!
The latest wave of spam attacks prompts users to download password-protected ZIP archive files, which contain malicious documents that, once opened and macros are enabled, result in the deployment of Emotet malware, thereby enabling it to rebuild its botnet network and grow in volume.
"Emotet's comeback is a major warning sign for yet another surge in ransomware attacks as we go into 2022," said Lotem Finkelstein, Check Point's head of threat intelligence. "Trickbot, who has always collaborated with Emotet, is facilitating Emotet's comeback by dropping it on infected victims. This has allowed Emotet to start from a very firm position, and not from scratch."
That's not all. In what appears to be a further escalation in tactics, new Emotet artifacts have been uncovered dropping Cobalt Strike beacons directly onto compromised systems, according to Cryptolaemus cybersecurity experts, as opposed to dropping intermediate payloads before installing the post-exploitation tool.
"This is a big deal. Typically Emotet dropped TrickBot or QakBot, which in turn dropped Cobalt Strike. You'd usually have about a month between [the] first infection and ransomware. With Emotet dropping [Cobalt Strike] directly, there's likely to be a much much shorter delay," security researcher Marcus Hutchins tweeted.