• United States



CSO Senior Writer

TrickBot returns with campaign against legal and insurance firms

News Analysis
Jan 29, 20214 mins

The new iteration of the TrickBot botnet, which had enabled Ryuk and other ransomware attacks, uses malicious links in emails rather than rogue email attachments.

Botnet Trouble / Botnet army
Credit: Geerati / Getty Images

Despite the security industry’s efforts to disrupt the TrickBot botnet, its operators are trying to revive it with new infection campaigns. The latest one, observed by researchers this month, targeted legal and insurance companies.

“In the most recent campaign we observed across our global Menlo Security cloud platform, we noticed the attackers used an interesting lure to get users to click and install the Trickbot malware on the endpoint,” security firm Menlo Security said in a report Friday. “This ongoing campaign that we identified exclusively targeted legal and insurance verticals in North America.”

TrickBot background

TrickBot has been plaguing companies and consumers since 2016, infecting over a million computers. In recent years it has come often into the spotlight because of its association with Ryuk, a highly sophisticated ransomware operation that has hit many organizations around the world.

TrickBot started out as a banking Trojan but evolved into a crimeware platform through which its operators sold access to infected computers to other hacker groups who wanted to distribute their own malware. One of those groups, and probably TrickBot’s biggest customer, is the gang behind Ryuk, which is why Ryuk infections are often preceded by a TrickBot infection.

In October, Microsoft used legal action to seize many of the domain names that were used to operate TrickBot command-and-control servers and then worked with other security vendors and ISPs to take control of them. By early November, no TrickBot command-and-control servers were still active, but researchers warned these attackers were resourceful and might try to rebuild the botnet.

The latest Trickbot campaign

The campaign detected by Menlo involved spam emails with a malicious URL that, if clicked, took users through a series of redirects to a page that posed as an automated notification for negligent driving. The page had a button to download the alleged photographic evidence, but in turn downloaded a zip archive with a malicious JavaScript file inside.

“The embedded JavaScript is heavily obfuscated, which has been a TTP typical of the Trickbot malware,” the Menlo Security researchers said. “If the user opens the downloaded JavaScript file, an HTTP request is made to the CnC server to download the final malicious binary.”

The researchers are still analyzing the payload itself to see if there are any differences between it and the TrickBot samples from before the takedown. However, they noted that at this time the malicious URLs spread via email and the one from where the payload is downloaded have a low detection rate.

TrickBot has a modular architecture with over two dozen known plug-ins that enable different functionalities. Last year, researchers warned about a worrying development where a new module enabled TrickBot to detect insecure UEFI firmware and potentially brick devices or deploy stealthy low-level backdoors.

The use of malicious URLs in emails is a somewhat unusual distribution technique for TrickBot, which has traditionally been distributed through rogue email attachments, such as poisoned Word and Excel documents or Java Network Launch Protocol (.jnlp) files. The malware has also been commonly delivered through Emotet, another botnet that was just disrupted this week following a joint operation by law enforcement agencies in several countries.

“Where there’s a will, there’s a way,” the Menlo researchers concluded. “That proverb certainly holds true for the bad actors behind Trickbot’s operations. While Microsoft and its partners’ actions were commendable and Trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment.”

According to researchers from security firm Intel 471, who have been monitoring TrickBot since Microsoft’s takedown action, this new activity is likely tied to a gtag called rob35. (The TrickBot operators assign different identifiers called gtags to their campaigns to track their success.)
In December, a separate TrickBot campaign with the gtag rob20 involved highly targeted spamming against restaurant chains after attackers got their hands on a marketing dataset. This latest campaign could be based on a similar stolen dataset specific to a brand or industry vertical, Jason Passwaters, Intel 471’s COO, tells CSO.
“Generally, things have slowed down a good bit since before the Microsoft disruption effort, but I don’t think we can say they are ‘back’ as if they were ‘gone’,” Passwaters says. “These folks run a fairly resilient and sophisticated operation. Until we see cybercriminals in handcuffs, they will continue to learn, adjust and rebuild. As far as Trickbot activity in general, since January 1, 2021, we’ve seen a regular amount of controller activity across 40-plus other unique gtags indicating they are still fairly active.”
Editor’s note: This article was updated on February 1, 2021, to include comments from Intel 471.