Getty Images/iStockphoto

Feds Warn of TrickBot Spear-Phishing Attacks Delivering Malware Payload

DHS CISA and the FBI urge entities to be on alert for a sophisticated TrickBot spear-phishing campaign. Meanwhile, Check Point found TrickBot is the most distributed malware.

A joint federal alert warns that all entities should be on the alert for a newly observed spear-phishing campaign, leveraging malicious emails to deliver the TrickBot malware payload. Healthcare administrators should review the alert to view attack methods and indicators of compromise.

TrickBot is highly modular and is delivered through multiple stages, as its hackers leverage a full suite of tools to conduct a range of nefarious activities. Its hackers are highly sophisticated and continuously evolve the threat to further its impact.

The malware has been active since 2016, first as a banking trojan and now as a variant often paired with other malicious threats.

The alert comes on the heels of a recent report from Check Point that ranked TrickBot as the leading malware variant, since the global takedown of the Emotet botnet in January.

Despite the global takedown, hackers are continuing to leverage other high-ranking threats that have previously seen a high level of success, such as Trickbot. It’s the first time the TrickBot trojan has topped the malware index, and it rose from the third position in January.

TrickBot was the fourth-most prevalent malware variant in 2020, affecting 8 percent of all global organizations. In fact, the threat was used in the massive ransomware attack against Universal Healthcare Services in the Fall of 2020.

The hackers used TrickBot to detect and harvest data from UHS’ systems prior to the ransomware deployment. All 400 sites were impacted by the incident, which lasted for more than three weeks and cost the health system about $67 million in lost revenue and recovery efforts.

“Criminals will continue using the existing threats and tools they have available, and Trickbot is popular because of its versatility and its track record of success in previous attacks,” researchers noted.  

“Even when a major threat is removed, there are many others that continue to pose a high risk on networks worldwide, so organizations must ensure they have robust security systems in place to prevent their networks being compromised and minimize risks,” they added. 

The last known method used by TrickBot was a widespread spam campaign designed to trick users in the insurance and legal sectors into downloading a malicious .zip archive that contained a JavaScript file. Once opened, the variant would attempt to download other malicious files from a remote server.

According to the FBI and Department of Homeland Security Cybersecurity and Infrastructure Security Agency, the newest Trickbot campaign is sophisticated in nature and leverages phishing emails that claim to contain proof of traffic violations to lure victims into downloading Trickbot.

The spear-phishing campaign uses tailored emails that contain either a malicious attachment or link and claim to have proof of a traffic violation, but are used to steal the victim’s information.

If a user interacts with the email, they’re brought to a website hosted on a compromised server, then prompted to click on the photo proof of their traffic violation. 

When the image is clicked, a malicious JavaScript file is downloaded that can automatically communicate with the threat actor’s command and control server to download TrickBot onto the network.

A successful TrickBot attack can enable the attacker to install additional malware, including the notorious Ryuk and Conti ransomware, which are tied to data extortion groups. TrickBot can also serve as a downloader for Emotet.

“TrickBot uses person-in-the-browser attacks to steal information, such as login credentials,” CISA warned. “Some of TrickBot’s modules spread the malware laterally across a network by abusing the Server Message Block (SMB) Protocol.” 

“TrickBot operators have a toolset capable of spanning the entirety of the MITRE ATT&CK framework, from actively or passively gathering information that can be used to support targeting, to trying to manipulate, interrupt, or destroy systems and data,” they added.

What’s more, the variant is able to leverage cryptomining, host enumeration, and even data exfiltration. For host enumeration attempts, the hackers deliver TrickBot via modules that contain a configuration file with specific tasks.

Check Point urged all entities to train employees to equip them with the needed skills for identifying malicious emails that so readily spread TrickBot and other malware.

CISA and the FBI recommended all network defenders to consider reviewing and or implementing additional security best practices to defend against these sophisticated phishing attacks.

Employees need social engineering and phishing training to better understand the threat, while administrators should create or update policies for addressing suspicious emails -- including that all suspicious communications be reported to the security or IT departments.

Administrators should also mark external emails with a banner denoting the message as such, which can help users detect spoofed emails. CISA provided a full list of recommendations that can help entities to bolster crucial security practices, in light of the aggressive targeting against the healthcare sector.

NIST previously provided insights for preventing and handling suspected malware intrusions on desktop and laptops.

Next Steps

Dig Deeper on Cybersecurity strategies