TrickBot Botnet Targeting Multiple Industries

Summary

 Attack Vector: Phishing Campaign

 Type of Attack: Malware Implant
 Objective: Steal Credentials, Data Exfiltration, Lateral Movement, Payload Delivery, DDoS
Attack
 Suspected Hacker Group: -
 Target Country: Global
 Target Industry: Election Infrastructure, Government Agencies, Healthcare Infrastructure,
Financial Services
 Target Technology: Windows OS
 Detected Date: 26 October 2020
 Attack Status: On-going　

 Risk Rate: High

 Reason: TrickBot malware is observed to be actively targeting organizations across the

globe. As per the researchers, the malware has compromised up to one million systems to
date as a part of nation-state and cybercriminals for malicious operations.

Introduction

TrickBot is among the largest malware botnets in the world and ranks among the top 3 most popular
Malware-as-a-service (MaaS) operations in the cybercrime underworld. It first appeared in 2016 as a
banking trojan meant to steal information and provide backdoor access to spread other malware

Key Attributes

TrickBot is now expected to create disturbance during the upcoming 2020 presidential election. A

coalition of technology companies organized an initiative to remove the backend infrastructure of the
malware botnet to thwart any election intervention schemes.

According to the coalition representatives, TrickBot had infected more than one million computers at
the time of the planned takedown. Researchers spent months collecting and examining malware,
including servers used for controlling and infecting machines around the world.

Researchers have also taken action and approval to disable IP addresses, suspend services, and block
efforts by TrickBot operators to purchase more servers. The botnet survived the attempted take down
attempts coordinated by the tech coalition.

TrickBot is one of the biggest botnets in the world today. The malware was first created as a banking
Trojan in 2016 and was then turned into a multi-function malware downloader that infects systems and
provides access to other criminal gangs via the MaaS model.

During the election, the primary concerns of the malware are the potential to deliver ransomware or
DDoS attacks which would eventually disable voter registration systems.
TrickBot could also deliver a trojan that targets online banks and submit email campaigns to move in a
network laterally. The botnet could scrap the login details before ransomware attacks the device.

The coordinated attacks on TrickBot were minimal and, despite these efforts, the command and control
servers that were seized have already been substituted with new infrastructure.

TrickBot operates on a bulletproof hosting system that is unresponsive or slow to react to takedown
attempts, which is likely the reason for its survival.

Researchers successfully asserted in a recent legal precedent that TrickBot was infringing on Microsoft’s
code copyright by copying and using its software development kits (SDKs) for fraudulent purposes. This
methodology by Microsoft will help with jurisdiction issues when running more takedowns against
TrickBot.

While the TrickBot botnet is a persistent threat that requires engagement, disabling TrickBot
temporarily brought the U.S. valuable time to improve defenses. Security researchers noted that
TrickBot botnet attacks have slackened from thousands to hundreds per day.

About the Threat Actor Groups

The threat actor group behind the campaign is currently unknown

Insights

TrickBot is a successor to the Dyre banking trojan which was initially designed to steal banking
credentials, as per researchers. But over years, its operators built the trojan into a substantial botnet.
The botnet was made available as a Malware-as-a-service (MaaS) to cyber criminals, who were given
access to the botnet to use as an entry point to install recon tools such as PowerShell Empire,
Metasploit, Cobalt Strike, etc. These tools were then used to exfiltrate data, deploy additional payloads,
steal credentials and  most particularly the Ryuk ransomware. Emotet malware was also observed
serving TrickBot payloads to infected machines.

CYFIRMA – as part of its Cyber-threat predictions for 2020 – has called out that threat actors would
potentially recycle and repurpose existing malwares to carry out cyber-attacks. TrickBot being a
commodity malware, has been leveraged in the past and would continue to be leveraged further by
threat actors to launch new set of attacks to achieve their goals.

Indicators Of Compromise

Following are the indicators of compromise associated with the campaign: 

Note: Kindly refer to the IOCs Section to exercise controls on your security systems

TACTICAL RECOMMENDATIONS

 Implement spam filters that can be enabled to recognize and prevent emails from suspicious
sources from ever reaching the inbox of employees.
  Train employees to recognize phishing attacks to avoid clicking on malicious links. For example,
if the domain of the link to which you are being directed does not match the purported
company domain, then the link is a fake.
 Build and undertake safeguarding measures by monitoring/ blocking the IOCs, and strengthen
defenses based on tactical intelligence provided

Strategic:

 Establish a plan for Incident Response, Disaster Recovery and Business Continuity plans
 Implement critical data Protection Program

Management

 Conduct thorough identification and prioritization of cyber risks and critical data through
risk assessments, vulnerability assessments, and system reviews.
 Implement prudent systems, processes, and procedures to manage and mitigate risks.
 Effective implementation of security initiatives that encompasses awareness building and
training across the organization

End of Cyber Attacks