The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: Trickbot

Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware

Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware

March 28, 2022Ravie Lakshmanan
A new email phishing campaign has been spotted leveraging the tactic of conversation hijacking to deliver the IcedID info-stealing malware onto infected machines by making use of unpatched and publicly-exposed Microsoft Exchange servers. "The emails use a social engineering technique of conversation hijacking (also known as thread hijacking)," Israeli company Intezer said in a report shared with The Hacker News. "A forged reply to a previous stolen email is being used as a way to convince the recipient to open the attachment. This is notable because it increases the credibility of the phishing email and may cause a high infection rate." The latest wave of attacks, detected in mid-March 2022, is said to have targeted organizations within energy, healthcare, law, and pharmaceutical sectors. IcedID, aka BokBot, like its counterparts TrickBot and  Emotet , is a  banking trojan  that has evolved to become an entry point for more sophisticated threats, including hu
Botnet of Thousands of MikroTik Routers Abused in Glupteba, TrickBot Campaigns

Botnet of Thousands of MikroTik Routers Abused in Glupteba, TrickBot Campaigns

March 23, 2022Ravie Lakshmanan
Vulnerable routers from MikroTik have been misused to form what cybersecurity researchers have called one of the largest botnet-as-a-service cybercrime operations seen in recent years.  According to a new piece of research published by Avast, a cryptocurrency mining campaign leveraging the new-disrupted  Glupteba botnet  as well as the infamous TrickBot malware were all distributed using the same command-and-control (C2) server. "The C2 server serves as a botnet-as-a-service controlling nearly 230,000 vulnerable MikroTik routers," Avast's senior malware researcher, Martin Hron,  said  in a write-up, potentially linking it to what's now called the Mēris botnet. The botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers ( CVE-2018-14847 ), enabling the attackers to gain unauthenticated, remote administrative access to any affected device. Parts of the Mēris botnet were  sinkholed  in late  September 2021 . "The  CVE-2018-
TrickBot Malware Abusing MikroTik Routers as Proxies for Command-and-Control

TrickBot Malware Abusing MikroTik Routers as Proxies for Command-and-Control

March 17, 2022Ravie Lakshmanan
Microsoft on Wednesday detailed a previously undiscovered technique put to use by the TrickBot malware that involves using compromised Internet of Things (IoT) devices as a go-between for establishing communications with the command-and-control (C2) servers. "By using MikroTik routers as proxy servers for its C2 servers and redirecting the traffic through non-standard ports, TrickBot adds another persistence layer that helps malicious IPs evade detection by standard security systems," Microsoft's Defender for IoT Research Team and Threat Intelligence Center (MSTIC)  said . TrickBot, which emerged as a banking trojan in 2016, has evolved into a sophisticated and persistent threat, with its modular architecture enabling it to adapt its tactics to suit different networks, environments, and devices as well as offer access-as-a-service for next-stage payloads like Conti ransomware. The expansion to TrickBot's capabilities comes amid reports of its  infrastructure goin
Emotet Botnet's Latest Resurgence Spreads to Over 100,000 Computers

Emotet Botnet's Latest Resurgence Spreads to Over 100,000 Computers

March 09, 2022Ravie Lakshmanan
The insidious Emotet botnet, which staged a return in November 2021 after a 10-month-long hiatus, is once again exhibiting signs of steady growth, amassing a swarm of over 100,000 infected hosts for perpetrating its malicious activities. "While Emotet has not yet attained the same scale it once had, the botnet is showing a strong resurgence with a total of approximately 130,000 unique bots spread across 179 countries since November 2021," researchers from Lumen's Black Lotus Labs  said  in a report. Emotet, prior to its  takedown  in late January 2021 as part of a coordinated law enforcement operation dubbed "Ladybird," had infected no fewer than 1.6 million devices globally, acting as a conduit for cybercriminals to install other types of malware, such as banking trojans or ransomware, onto compromised systems. The malware  officially resurfaced  in November 2021  using TrickBot  as a delivery vehicle, with the latter  shuttering its attack infrastructure
TrickBot Malware Gang Upgrades its AnchorDNS Backdoor to AnchorMail

TrickBot Malware Gang Upgrades its AnchorDNS Backdoor to AnchorMail

March 01, 2022Ravie Lakshmanan
Even as the TrickBot infrastructure closed shop, the operators of the malware are continuing to refine and retool their arsenal to carry out attacks that culminated in the deployment of Conti ransomware. IBM Security X-Force, which discovered the revamped version of the criminal gang's  AnchorDNS  backdoor, dubbed the new, upgraded variant AnchorMail. AnchorMail "uses an email-based [command-and-control] server which it communicates with using SMTP and IMAP protocols over TLS," IBM's malware reverse engineer, Charlotte Hammond,  said . "With the exception of the overhauled C2 communication mechanism, AnchorMail's behavior aligns very closely to that of its AnchorDNS predecessor." The cybercrime actor behind TrickBot, ITG23 aka Wizard Spider, is also known for its development of the Anchor malware framework, a backdoor reserved for targeting selected high value victims since at least 2018 via TrickBot and BazarBackdoor (aka BazarLoader), an additiona
Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure

Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure

February 24, 2022Ravie Lakshmanan
The modular Windows crimeware platform known as TrickBot formally shuttered its infrastructure on Thursday after reports emerged of its  imminent retirement  amid a lull in its activity for almost two months, marking an end to one of the most persistent malware campaigns in recent years. "TrickBot is gone... It is official now as of Thursday, February 24, 2022. See you soon... or not," AdvIntel's CEO Vitali Kremez  tweeted . "TrickBot is gone as it has become inefficient for targeted intrusions." Attributed to a Russia-based criminal enterprise called  Wizard Spider , TrickBot started out as a financial trojan in late 2016 and is a derivative of another banking malware called  Dyre  that was dismantled in November 2015. Over the years, it morphed into a veritable Swiss Army knife of malicious capabilities, enabling threat actors to steal information via  web injects  and drop additional payloads. TrickBot's activities took a noticeable hit in October 20
TrickBot Gang Likely Shifting Operations to Switch to New Malware

TrickBot Gang Likely Shifting Operations to Switch to New Malware

February 24, 2022Ravie Lakshmanan
TrickBot, the infamous Windows crimeware-as-a-service (CaaS) solution that's used by a variety of threat actors to deliver next-stage payloads like ransomware, appears to be undergoing a transition of sorts, with no new activity recorded since the start of the year. The lull in the malware campaigns is "partially due to a big shift from Trickbot's operators, including working with the operators of Emotet," researchers from Intel 471  said  in a report shared with The Hacker News. The last set of attacks involving TrickBot were registered on December 28, 2021, even as command-and-control (C2) infrastructure associated with the malware has continued to serve additional plugins and  web injects  to infected nodes in the botnet. Interestingly, the decrease in the volume of the campaigns has also been accompanied by the TrickBot gang working closely with the  operators of Emotet , which witnessed a resurgence late last year after a 10-month-long break following law en
TrickBot Malware Targeted Customers of 60 High-Profile Companies Since 2020

TrickBot Malware Targeted Customers of 60 High-Profile Companies Since 2020

February 16, 2022Ravie Lakshmanan
The notorious TrickBot malware is targeting customers of 60 financial and technology companies, including cryptocurrency firms, primarily located in the U.S., even as its operators have updated the botnet with new anti-analysis features. "TrickBot is a sophisticated and versatile malware with more than 20 modules that can be downloaded and executed on demand," Check Point researchers Aliaksandr Trafimchuk and Raman Ladutska  said  in a report published today. In addition to being both prevalent and persistent, TrickBot has  continually   evolved  its tactics to go past security and detection layers. To that end, the malware's "injectDll" web-injects module, which is responsible for stealing banking and credential data, leverages anti-deobfuscation techniques to crash the web page and thwart attempts to scrutinize the source code. Also put in place are anti-analysis guardrails to prevent security researchers from sending automated requests to command-and-con
TrickBot Malware Using New Techniques to Evade Web Injection Attacks

TrickBot Malware Using New Techniques to Evade Web Injection Attacks

January 25, 2022Ravie Lakshmanan
The cybercrime operators behind the notorious TrickBot malware have once again upped the ante by fine-tuning its techniques by adding multiple layers of defense to slip past antimalware products. "As part of that escalation, malware injections have been fitted with added protection to keep researchers out and get through security controls," IBM Trusteer  said  in a report. "In most cases, these extra protections have been applied to injections used in the process of online banking fraud — TrickBot's main activity since its inception after the  Dyre Trojan 's demise." TrickBot , which started out as a banking trojan, has evolved into a multi-purpose crimeware-as-a-service (CaaS) that's employed by a variety of actors to deliver additional payloads such as ransomware. Over 100 variations of TrickBot have been identified to date, one of which is a " Trickboot " module that can modify the UEFI firmware of a compromised device. In the fall of 2
140,000 Reasons Why Emotet is Piggybacking on TrickBot in its Return from the Dead

140,000 Reasons Why Emotet is Piggybacking on TrickBot in its Return from the Dead

December 08, 2021Ravie Lakshmanan
The operators of TrickBot malware have infected an estimated 140,000 victims across 149 countries a little over a year after attempts were to dismantle its infrastructure, even as the advanced Trojan is fast becoming an entry point for Emotet, another botnet that was taken down at the start of 2021. Most of the victims detected since November 1, 2020, are from Portugal (18%), the U.S. (14%), and India (5%), followed by Brazil (4%), Turkey (3%), Russia (3%), and China (3%), Check Point Research noted in a report shared with The Hacker News, with government, finance, and manufacturing entities emerging the top affected industry verticals. "Emotet is a strong indicator of future ransomware attacks, as the malware provides ransomware gangs a backdoor into compromised machines," said the researchers, who detected 223 different Trickbot campaigns over the course of the last six months. Both TrickBot and Emotet are botnets, which are a network of internet-connected devices infe
Notorious Emotet Botnet Makes a Comeback with the Help of TrickBot Malware

Notorious Emotet Botnet Makes a Comeback with the Help of TrickBot Malware

November 16, 2021Ravie Lakshmanan
The notorious Emotet malware is staging a comeback of sorts  nearly 10 months  after a coordinated law enforcement operation dismantled its command-and-control infrastructure in late January 2021. According to a  new report  from security researcher Luca Ebach, the infamous  TrickBot  malware is being used as an entry point to distribute what appears to be a new version of Emotet on systems previously infected by the former. The latest  variant  takes the form of a DLL file, with the first occurrence of the deployment being detected on November 14. Europol  dubbed   Emotet  as the "world's most dangerous malware" for its ability to act as a "door opener" for threat actors to obtain unauthorized access, becoming a precursor to many critical data theft and ransomware attacks. Interestingly, the loader operation enabled other malware families such as Trickbot, QakBot, and Ryuk to enter a machine. The resurfacing is also significant not least because it follow
Hackers Increasingly Using HTML Smuggling in Malware and Phishing Attacks

Hackers Increasingly Using HTML Smuggling in Malware and Phishing Attacks

November 12, 2021Ravie Lakshmanan
Threat actors are increasingly banking on the technique of  HTML smuggling  in phishing campaigns as a means to gain initial access and deploy an array of threats, including banking malware, remote administration trojans (RATs), and ransomware payloads. Microsoft 365 Defender Threat Intelligence Team, in a new report published Thursday, disclosed that it identified infiltrations distributing the  Mekotio  banking Trojan, backdoors such as  AsyncRAT  and  NjRAT , and the infamous  TrickBot  malware. The multi-staged attacks — dubbed  ISOMorph  — were also publicly documented by Menlo Security in July 2021. HTML smuggling is an approach that allows an attacker to "smuggle" first-stage droppers, often encoded malicious scripts embedded within specially-crafted HTML attachments or web pages, on a victim machine by taking advantage of basic features in HTML5 and JavaScript rather than exploiting a vulnerability or a design flaw in modern web browsers. By doing so, it enables
TrickBot Operators Partner with Shathak Attackers for Conti Ransomware

TrickBot Operators Partner with Shathak Attackers for Conti Ransomware

November 11, 2021Ravie Lakshmanan
The operators of TrickBot trojan are collaborating with the Shathak threat group to distribute their wares, ultimately leading to the deployment of Conti ransomware on infected machines. "The implementation of  TrickBot  has evolved over the years, with recent versions of TrickBot implementing malware-loading capabilities," Cybereason security analysts Aleksandar Milenkoski and Eli Salem  said  in a report analysing recent malware distribution campaigns undertaken by the group. "TrickBot has played a major role in many attack campaigns conducted by different threat actors, from common cybercriminals to nation-state actors." The latest report builds on a report from IBM X-Force last month, which  revealed  TrickBot's partnerships with other cybercrime gangs, including Shathak, to deliver proprietary malware. Also tracked under the moniker TA551, Shathak is a sophisticated cybercrime actor targeting end-users on a global scale, acting as a malware distributor
Russian TrickBot Gang Hacker Extradited to U.S. Charged with Cybercrime

Russian TrickBot Gang Hacker Extradited to U.S. Charged with Cybercrime

October 29, 2021Ravie Lakshmanan
A Russian national, who was arrested in South Korea last month and extradited to the U.S. on October 20, appeared in a federal court in the state of Ohio on Thursday to face charges for his alleged role as a member of the infamous TrickBot group. Court documents showed that Vladimir Dunaev , 38, along with other members of the transnational, cybercriminal organization, stole money and confidential information from unsuspecting victims, including individuals, financial institutions, school districts, utility companies, government entities, and private businesses. Starting its roots as a banking trojan in 2016, TrickBot has  evolved  into a modular, multi-stage Windows-based crimeware solution capable of pilfering valuable personal and financial information, and even dropping ransomware and post-exploitation toolkits on compromised devices. The malware is also  notorious  for its  resilience , having survived at least two takedowns spearheaded by Microsoft and the U.S. Cyber Command
Attackers Behind Trickbot Expanding Malware Distribution Channels

Attackers Behind Trickbot Expanding Malware Distribution Channels

October 15, 2021Ravie Lakshmanan
The operators behind the pernicious TrickBot malware have resurfaced with new tricks that aim to increase its foothold by expanding its distribution channels, ultimately leading to the deployment of ransomware such as Conti. The threat actor, tracked under the monikers ITG23 and Wizard Spider, has been found to partner with other cybercrime gangs known Hive0105, Hive0106 (aka TA551 or Shathak), and Hive0107, adding to a growing number of campaigns that the attackers are banking on to deliver proprietary malware, according to a report by IBM X-Force. "These and other cybercrime vendors are infecting corporate networks with malware by hijacking email threads, using fake customer response forms and social engineering employees with a fake call center known as BazarCall," researchers Ole Villadsen and Charlotte Hammond  said . Since emerging on the threat landscape in 2016, TrickBot has evolved from a banking trojan to a modular Windows-based crimeware solution, while also 
Researchers Find New Evidence Linking Diavol Ransomware to TrickBot Gang

Researchers Find New Evidence Linking Diavol Ransomware to TrickBot Gang

August 19, 2021Ravie Lakshmanan
Cybersecurity researchers have disclosed details about an early development version of a nascent ransomware strain called Diavol that has been linked to threat actors behind the infamous TrickBot syndicate. The latest  findings  from IBM X-Force show that the ransomware sample shares similarities to other malware that has been attributed to the cybercrime gang, thus establishing a clearer connection between the two. In early July, Fortinet  revealed  specifics of an unsuccessful ransomware attack involving Diavol payload targeting one of its customers, highlighting the malware's source code overlaps with that of Conti and its technique of reusing some language from Egregor ransomware in its ransom note. "As part of a rather unique encryption procedure, Diavol operates using user-mode Asynchronous Procedure Calls (APCs) without a symmetric encryption algorithm," Fortinet researchers previously said. "Usually, ransomware authors aim to complete the encryption oper
Trickbot Malware Returns with a new VNC Module to Spy on its Victims

Trickbot Malware Returns with a new VNC Module to Spy on its Victims

July 13, 2021Ravie Lakshmanan
Cybersecurity researchers have opened the lid on the continued resurgence of the insidious Trickbot malware , making it clear that the Russia-based transnational cybercrime group is working behind the scenes to revamp its attack infrastructure in response to recent counter efforts from law enforcement. "The new capabilities discovered are used to monitor and gather intelligence on victims, using a custom communication protocol to hide data transmissions between [command-and-control] servers and victims — making attacks difficult to spot," Bitdefender  said  in a technical write-up published Monday, suggesting an increase in sophistication of the group's tactics. "Trickbot shows no sign of slowing down," the researchers noted. Botnets are formed when hundreds or thousands of hacked devices are enlisted into a network run by criminal operators, which are often then used to launch denial-of-network attacks to pummel businesses and critical infrastructure with
TrickBot Botnet Found Deploying A New Ransomware Called Diavol

TrickBot Botnet Found Deploying A New Ransomware Called Diavol

July 05, 2021Ravie Lakshmanan
Threat actors behind the infamous  TrickBot  malware have been linked to a new ransomware strain named "Diavol," according to the latest research. Diavol and Conti ransomware payloads were deployed on different systems in a case of an unsuccessful attack targeting one of its customers earlier this month, researchers from Fortinet's FortiGuard Labs said last week. TrickBot, a banking Trojan first detected in 2016, has been traditionally a Windows-based crimeware solution, employing different modules to perform a wide range of malicious activities on target networks, including credential theft and conduct ransomware attacks.  Despite efforts by law enforcement to neutralize the bot network, the ever-evolving malware has proven to be a  resilient threat , what with the Russia-based operators — dubbed " Wizard Spider " — quickly adapting new tools to carry out further attacks. Diavol is said to have been deployed in the wild in one incident to date. The sourc
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.