Trickbot | Breaking Cybersecurity News | The Hacker News

The U.K. and U.S. governments on Thursday sanctioned 11 individuals who are alleged to be part of the notorious Russia-based TrickBot cybercrime gang. "Russia has long been a safe haven for cybercriminals, including the TrickBot group," the U.S. Treasury Department  said , adding it has "ties to Russian intelligence services and has targeted the U.S. Government and U.S. companies, including hospitals." The targets of the sanctions are administrators, managers, developers, and coders who are believed to have provided material assistance in its operations. Their names and roles are as follows - Andrey Zhuykov (aka Adam, Defender, and Dif), senior administrator Maksim Sergeevich Galochkin (aka Bentley, Crypt, Manuel, Max17, and Volhvb), software development and testing Maksim Rudenskiy (aka Binman, Buza, and Silver), team lead for coders Mikhail Tsarev (aka Alexander Grachev, Fr*ances, Ivanov Mixail, Mango, Misha Krutysha, Nikita Andreevich Tsarev, and Super Misha), human resource

In a first-of-its-kind coordinated action, the U.K. and U.S. governments on Thursday levied sanctions against seven Russian nationals for their affiliation to the TrickBot, Ryuk, and Conti cybercrime operation. The individuals  designated  under sanctions are Vitaly Kovalev (aka Alex Konor, Bentley, or Bergen), Maksim Mikhailov (aka Baget), Valentin Karyagin (aka Globus), Mikhail Iskritskiy (aka Tropa), Dmitry Pleshevskiy (aka Iseldor), Ivan Vakhromeyev (aka Mushroom), and Valery Sedletski (aka Strix). "Current members of the TrickBot group are associated with Russian Intelligence Services," the U.S. Treasury Department  noted . "The TrickBot group's preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services." TrickBot, which is attributed to a threat actor named ITG23, Gold Blackburn, and Wizard Spider, emerged in 2016 as a derivative of the Dyre banking trojan and evolved into a  highly

If forecasters are right, over the course of today, consumers will spend  $13.7 billion . Just about every click, sale, and engagement will be captured by a CRM platform. Inventory applications will trigger automated re-orders; communication tools will send automated email and text messages confirming sales and sharing shipping information.  SaaS applications supporting retail efforts will host nearly all of this behind-the-scenes activity. While retailers are rightfully focused on sales during this time of year, they need to ensure that the SaaS apps supporting their business operations are secure. No one wants a repeat of one of the biggest retail cyber-snafus in history, like when one U.S.-based national retailer had 40 million credit card records stolen.  The attack surface is vast and retailers must remain vigilant in protecting their entire SaaS app stack. For example, many often use multiple instances of the same application. They may use a different Salesforce tenant for eve

A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access, while also borrowing techniques from other groups like Conti to meet its goals. "Throughout the attack, the attacker followed a routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike on the newly compromised host," Cybereason researchers  said  in a report published this week. IcedID , also known by the name BokBot, started its life as a banking trojan in 2017 before evolving into a  dropper for other malware , joining the likes of  Emotet ,  TrickBot ,  Qakbot ,  Bumblebee , and  Raspberry Robin . Attacks involving the delivery of IcedID have  leveraged a variety of methods , especially in the wake of  Microsoft's decision to block macros  from Office files downloaded from the web. The intrusion detailed by Cybereason is no different in

The Ursnif malware has become the latest malware to shed its roots as a banking trojan to revamp itself into a generic backdoor capable of delivering next-stage payloads, joining the likes of Emotet, Qakbot, and TrickBot. "This is a significant shift from the malware's original purpose to enable banking fraud, but is consistent with the broader threat landscape," Mandiant researchers Sandor Nemes, Sulian Lebegue, and Jessa Valdez  disclosed  in a Wednesday analysis. The refreshed and refactored variant, first spotted by the Google-owned threat intelligence firm in the wild on June 23, 2022, has been codenamed LDR4, in what's being seen as an attempt to lay the groundwork for potential ransomware and data theft extortion operations. Ursnif, also called Gozi or ISFB, is one of the oldest banker malware families, with  the earliest documented attacks  going as far back as 2007. Check Point, in August 2020, mapped the " divergent evolution of Gozi " over th

Threat actors associated with the notorious Emotet malware are continually shifting their tactics and command-and-control (C2) infrastructure to escape detection, according to new research from VMware. Emotet  is the work of a threat actor tracked as Mummy Spider (aka TA542), emerging in June 2014 as a banking trojan before morphing into an all-purpose loader in 2016 that's capable of delivering second-stage payloads such as ransomware. While the botnet's infrastructure was  taken down  as part of a coordinated law enforcement operation in January 2021, Emotet bounced back in November 2021 through another malware known as  TrickBot . Emotet's resurrection, orchestrated by the now-defunct Conti team, has since paved the way for Cobalt Strike infections and, more recently, ransomware attacks involving  Quantum and BlackCat . "The ongoing adaptation of Emotet's execution chain is one reason the malware has been successful for so long," researchers from VMwa

In what's being described as an "unprecedented" twist, the operators of the TrickBot malware have resorted to systematically targeting Ukraine since the onset of the war in late February 2022. The group is believed to have orchestrated at least six phishing campaigns aimed at targets that align with Russian state interests, with the emails acting as lures for delivering malicious software such as IcedID, CobaltStrike, AnchorMail, and  Meterpreter . Tracked under the names ITG23,  Gold Blackburn , and Wizard Spider, the  financially motivated cybercrime gang  is known for its development of the TrickBot banking trojan and was  subsumed  into the now-discontinued  Conti ransomware cartel  earlier this year. But merely weeks later, the actors associated with the group resurfaced with a revamped version of the  AnchorDNS  backdoor called  AnchorMail  that uses SMTPS and IMAP protocols for command-and-control communications. "ITG23's campaigns against Ukraine ar

In this day and age, we are not dealing with roughly pieced together, homebrew type of viruses anymore. Malware is an industry, and professional developers are found to exchange, be it by stealing one's code or deliberate collaboration. Attacks are multi-layer these days, with diverse sophisticated software apps taking over different jobs along the attack-chain from initial compromise to ultimate data exfiltration or encryption. The specific tools for each stage are highly specialized and can often be rented as a service, including customer support and subscription models for professional (ab)use. Obviously, this has largely increased both the availability and the potential effectiveness and impact of malware. Sound scary?  Well, it does, but the apparent professionalization actually does have some good sides too. One factor is that certain reused modules commonly found in malware can be used to identify, track, and analyze professional attack software. Ultimately this means that

A new email phishing campaign has been spotted leveraging the tactic of conversation hijacking to deliver the IcedID info-stealing malware onto infected machines by making use of unpatched and publicly-exposed Microsoft Exchange servers. "The emails use a social engineering technique of conversation hijacking (also known as thread hijacking)," Israeli company Intezer said in a report shared with The Hacker News. "A forged reply to a previous stolen email is being used as a way to convince the recipient to open the attachment. This is notable because it increases the credibility of the phishing email and may cause a high infection rate." The latest wave of attacks, detected in mid-March 2022, is said to have targeted organizations within energy, healthcare, law, and pharmaceutical sectors. IcedID, aka BokBot, like its counterparts TrickBot and  Emotet , is a  banking trojan  that has evolved to become an entry point for more sophisticated threats, including hu

Vulnerable routers from MikroTik have been misused to form what cybersecurity researchers have called one of the largest botnet-as-a-service cybercrime operations seen in recent years.  According to a new piece of research published by Avast, a cryptocurrency mining campaign leveraging the new-disrupted  Glupteba botnet  as well as the infamous TrickBot malware were all distributed using the same command-and-control (C2) server. "The C2 server serves as a botnet-as-a-service controlling nearly 230,000 vulnerable MikroTik routers," Avast's senior malware researcher, Martin Hron,  said  in a write-up, potentially linking it to what's now called the Mēris botnet. The botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers ( CVE-2018-14847 ), enabling the attackers to gain unauthenticated, remote administrative access to any affected device. Parts of the Mēris botnet were  sinkholed  in late  September 2021 . "The  CVE-2018-

Microsoft on Wednesday detailed a previously undiscovered technique put to use by the TrickBot malware that involves using compromised Internet of Things (IoT) devices as a go-between for establishing communications with the command-and-control (C2) servers. "By using MikroTik routers as proxy servers for its C2 servers and redirecting the traffic through non-standard ports, TrickBot adds another persistence layer that helps malicious IPs evade detection by standard security systems," Microsoft's Defender for IoT Research Team and Threat Intelligence Center (MSTIC)  said . TrickBot, which emerged as a banking trojan in 2016, has evolved into a sophisticated and persistent threat, with its modular architecture enabling it to adapt its tactics to suit different networks, environments, and devices as well as offer access-as-a-service for next-stage payloads like Conti ransomware. The expansion to TrickBot's capabilities comes amid reports of its  infrastructure goin

The insidious Emotet botnet, which staged a return in November 2021 after a 10-month-long hiatus, is once again exhibiting signs of steady growth, amassing a swarm of over 100,000 infected hosts for perpetrating its malicious activities. "While Emotet has not yet attained the same scale it once had, the botnet is showing a strong resurgence with a total of approximately 130,000 unique bots spread across 179 countries since November 2021," researchers from Lumen's Black Lotus Labs  said  in a report. Emotet, prior to its  takedown  in late January 2021 as part of a coordinated law enforcement operation dubbed "Ladybird," had infected no fewer than 1.6 million devices globally, acting as a conduit for cybercriminals to install other types of malware, such as banking trojans or ransomware, onto compromised systems. The malware  officially resurfaced  in November 2021  using TrickBot  as a delivery vehicle, with the latter  shuttering its attack infrastructure

Even as the TrickBot infrastructure closed shop, the operators of the malware are continuing to refine and retool their arsenal to carry out attacks that culminated in the deployment of Conti ransomware. IBM Security X-Force, which discovered the revamped version of the criminal gang's  AnchorDNS  backdoor, dubbed the new, upgraded variant AnchorMail. AnchorMail "uses an email-based [command-and-control] server which it communicates with using SMTP and IMAP protocols over TLS," IBM's malware reverse engineer, Charlotte Hammond,  said . "With the exception of the overhauled C2 communication mechanism, AnchorMail's behavior aligns very closely to that of its AnchorDNS predecessor." The cybercrime actor behind TrickBot, ITG23 aka Wizard Spider, is also known for its development of the Anchor malware framework, a backdoor reserved for targeting selected high value victims since at least 2018 via TrickBot and BazarBackdoor (aka BazarLoader), an additiona

The modular Windows crimeware platform known as TrickBot formally shuttered its infrastructure on Thursday after reports emerged of its  imminent retirement  amid a lull in its activity for almost two months, marking an end to one of the most persistent malware campaigns in recent years. "TrickBot is gone... It is official now as of Thursday, February 24, 2022. See you soon... or not," AdvIntel's CEO Vitali Kremez  tweeted . "TrickBot is gone as it has become inefficient for targeted intrusions." Attributed to a Russia-based criminal enterprise called  Wizard Spider , TrickBot started out as a financial trojan in late 2016 and is a derivative of another banking malware called  Dyre  that was dismantled in November 2015. Over the years, it morphed into a veritable Swiss Army knife of malicious capabilities, enabling threat actors to steal information via  web injects  and drop additional payloads. TrickBot's activities took a noticeable hit in October 20

TrickBot, the infamous Windows crimeware-as-a-service (CaaS) solution that's used by a variety of threat actors to deliver next-stage payloads like ransomware, appears to be undergoing a transition of sorts, with no new activity recorded since the start of the year. The lull in the malware campaigns is "partially due to a big shift from Trickbot's operators, including working with the operators of Emotet," researchers from Intel 471  said  in a report shared with The Hacker News. The last set of attacks involving TrickBot were registered on December 28, 2021, even as command-and-control (C2) infrastructure associated with the malware has continued to serve additional plugins and  web injects  to infected nodes in the botnet. Interestingly, the decrease in the volume of the campaigns has also been accompanied by the TrickBot gang working closely with the  operators of Emotet , which witnessed a resurgence late last year after a 10-month-long break following law en

The notorious TrickBot malware is targeting customers of 60 financial and technology companies, including cryptocurrency firms, primarily located in the U.S., even as its operators have updated the botnet with new anti-analysis features. "TrickBot is a sophisticated and versatile malware with more than 20 modules that can be downloaded and executed on demand," Check Point researchers Aliaksandr Trafimchuk and Raman Ladutska  said  in a report published today. In addition to being both prevalent and persistent, TrickBot has  continually   evolved  its tactics to go past security and detection layers. To that end, the malware's "injectDll" web-injects module, which is responsible for stealing banking and credential data, leverages anti-deobfuscation techniques to crash the web page and thwart attempts to scrutinize the source code. Also put in place are anti-analysis guardrails to prevent security researchers from sending automated requests to command-and-con

The cybercrime operators behind the notorious TrickBot malware have once again upped the ante by fine-tuning its techniques by adding multiple layers of defense to slip past antimalware products. "As part of that escalation, malware injections have been fitted with added protection to keep researchers out and get through security controls," IBM Trusteer  said  in a report. "In most cases, these extra protections have been applied to injections used in the process of online banking fraud — TrickBot's main activity since its inception after the  Dyre Trojan 's demise." TrickBot , which started out as a banking trojan, has evolved into a multi-purpose crimeware-as-a-service (CaaS) that's employed by a variety of actors to deliver additional payloads such as ransomware. Over 100 variations of TrickBot have been identified to date, one of which is a " Trickboot " module that can modify the UEFI firmware of a compromised device. In the fall of 2