Threat Advisory: TrickBot Malware
March 15, 2019
The Multi-State Information Sharing and Analysis Center (MS-ISAC) recently released a security primer on TrickBot. Originally developed in 2016 as a Windows-based banking Trojan, TrickBot has recently seen advancements in its capabilities.
The developers behind it have continued to add more features via modules to this potent trojan. With its modular structure, it is able to download new modules from C&C servers that allow it to evolve if left unchecked.
In November 2018, a module was developed and added that gave TrickBot the ability to steal credentials from popular applications such as Filezilla, Microsoft Outlook, and WinSCP. In addition to the applications, this module is also able to steal credentials and artifacts from multiple web browsers (Google Chrome/Mozilla Firefox/Internet Explorer/Microsoft Edge). These artifacts include browsing history, cookies, autofills, and HTTP Posts.
In January 2019, three new applications have been targeted for credential grabbing: VNC, Putty, and RDP.
The primary distribution method for TrickBot is currently malspam campaigns, which involve unsolicited emails directed towards users that trick the user into opening the malware via an attachment. These emails usually involve third-party branding that would be familiar to the recipient and a Microsoft Word or Excel document containing a macro with a script to download the malware.
TrickBot has also been dropped as a secondary payload by other types of malware due to its capabilities. Once on a network, TrickBot has modules that target the SMB protocol to spread laterally throughout the network.
Herjavec Group recommends the following strategies to mitigate against the TrickBot malware:
- User awareness is key. Standard security awareness training will ensure that users are able to recognize social engineering/phishing attempts, and refrain from opening attachments from unverified senders. Usernames and passwords should not be disclosed to any unsolicited request.
- Antivirus software should be up-to-date with the latest signature and detection rules.
- Conduct vulnerability scans and/or Red Team exercises against internal network hosts that includes lateral movement as an objective.
- Review security logs for known indications of TrickBot. If any indications are found, isolate the host and begin investigation and remediation procedures.
For HG Managed Services customers, our team will engage with the appropriate technical contacts in your respective organizations to provide alerts, escalations, actions and or reports based on our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.