Trickbot

Last updated

Trickbot was a trojan for Microsoft Windows and other operating systems. [1] Its major function was originally the theft of banking details and other credentials, but its operators have extended its capabilities to create a complete modular malware ecosystem. [2]

Contents

Capabilities

Trickbot was first reported in October 2016. It is propagated by methods including executable programs, batch files, email phishing, Google Docs, and fake sexual harassment claims. [3]

The Web site Bleeping Computer has tracked the evolution of TrickBot from its start as a banking Trojan. Articles cover its extension to attack PayPal and business customer relationship management (CRM; June 2017),the addition of a self-spreading worm component (July 2017), coinbase.com, DKIM support to bypass email filters, steal Windows problem history, steal cookies (July 2019), targets security software such as Microsoft Defender to prevent its detection and removal (July 2019), steal Verizon Wireless, T-Mobile, and Sprint PIN codes by injecting code when accessing a Web site (August 2019), steal OpenSSH and OpenVPN keys (November 2019), spread malware through a network (January 2020), bypass Windows 10 UAC and steal Active Directory credentials (January 2020), use fake COVID-19 emails and news (since March 2020), bypass Android mobile two-factor authentication, checks whether it is being run in a virtual machine (by anti-malware experts; July 2020), infecting Linux systems (July 2020). [4]

TrickBot can provide other malware with access-as-a-service to infected systems, including Ryuk (January 2019) and Conti ransomware; the Emotet spam Trojan is known to install TrickBot (July 2020). [4]

In 2021, IBM researchers reported that trickbot had been enhanced with features such as a creative mutex naming algorithm and an updated persistence mechanism. [5]

Infections

On 27 September 2020, US hospitals and healthcare systems were shut down by a cyber attack using Ryuk ransomware. It is believed likely that the Emotet Trojan started the botnet infection by sending malicious email attachments during 2020. After some time, it would install TrickBot, which would then provide access to Ryuk. [6]

Despite the efforts to extinguish TrickBot, the FBI and two other American federal agencies warned on 29 October 2020 that they had "credible information of an increased and imminent cybercrime [ransomware] threat to US hospitals and healthcare providers" as COVID-19 cases were spiking. After the previous month's attacks, five hospitals had been attacked that week, and hundreds more were potential targets. Ryuk, seeded through TrickBot, was the method of attack. [7]

Arrests

In August 2020, the Department of Justice issued arrest warrants for threat actors running the Trickbot botnet. [8] In January 2021, an administrator of the virus distribution component of the Trickbot, Emotet, was arrested in Ukraine. [8] In February 2021, Max (AKA: Alla Witte; Alla Klimova; Алла Климова;) a developer of Trickbot platform and ransomware components, was arrested. [8] [9] [10]

Retaliation

From the end of September 2020, the TrickBot botnet was attacked by what is believed to be the Cyber Command branch of the US Department of Defense and several security companies. A configuration file was delivered to systems infected by TrickBot that changed the command and control server address to 127.0.0.1 (localhost, an address that cannot access the Internet). The efforts actually started several months earlier, with several disruptive actions. The project aims for long-term effects, gathering and carefully analyzing data from the botnet. An undisclosed number of C2 servers were also taken down by legal procedures to cut their communication with the bots at the hosting provider level. The action started after the US District Court for the Eastern District of Virginia granted Microsoft's request for a court order to stop TrickBot activity. The technical effort required is great; as part of the attack, ESET's automatic systems examined more than 125,000 Trickbot samples with over 40,000 configuration files for at least 28 individual plugins used by the malware to steal passwords, modify traffic, or self-propagate.

The attacks would disrupt the TrickBot significantly, but it has fallback mechanisms to recover, with difficulty, computers removed from the botnet. It was reported that there was short-term disruption, but the botnet quickly recovered due to its infrastructure remaining intact. [11] [2] [12]

The US government considered ransomware to be a major threat to the 2020 US elections, as attacks can steal or encrypt voter information and election results, and impact election systems. [11]

On 20 October 2020, a security message on the Bleeping Computer website reported that the Trickbot operation was "on the brink of completely shutting down following efforts from an alliance of cybersecurity and hosting providers targeting the botnet's command and control servers", after the relatively ineffective disruptive actions earlier in the month. A coalition headed by Microsoft's Digital Crimes Unit (DCU) had a serious impact, although TrickBot continued to infect further computers. On 18 October, Microsoft stated that 94% of Trickbot's critical operational infrastructure - 120 out of 128 servers - had been eliminated. Some Trickbot servers remained active in Brazil, Colombia, Indonesia, and Kyrgyzstan. Constant action, both technical and legal, is required to prevent Trickbot from re-emerging due to its unique architecture. Although there was no evidence of TrickBot targeting the US election on 3 November 2020, intense efforts continued until that date. [13]

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

<span class="mw-page-title-main">ESET</span> Slovak internet security company

ESET, s.r.o., is a software company specializing in cybersecurity. ESET's security products are made in Europe and provide security software in over 200 countries and territories worldwide. Its software is localized into more than 30 languages.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Ransomware is a type of cryptovirological malware that permanently blocks access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Bleeping Computer is a website covering technology news and offering free computer help via its forums that was created by Lawrence Abrams in 2004. It publishes news focusing heavily on cybersecurity, but also covers other topics including computer software, computer hardware, operating system and general technology.

Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

Avalanche was a criminal syndicate involved in phishing attacks, online bank fraud, and ransomware. The name also refers to the network of owned, rented, and compromised systems used to carry out that activity. Avalanche only infected computers running the Microsoft Windows operating system.

The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running Microsoft Windows, and was believed to have first been posted to the Internet on 5 September 2013. It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.

<span class="mw-page-title-main">Gameover ZeuS</span> Peer-to-peer botnet

GameOver ZeuS (GOZ), also known as peer-to-peer (P2P) ZeuS, ZeuS3, and GoZeus, is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.

<span class="mw-page-title-main">BadUSB</span> Cybersecurity attack using USB devices

BadUSB is a computer security attack using USB devices that are programmed with malicious software. For example, USB flash drives can contain a programmable Intel 8051 microcontroller, which can be reprogrammed, turning a USB flash drive into a malicious device. This attack works by programming the fake USB flash drive to emulate a keyboard, which once plugged into a computer, is automatically recognized and allowed to interact with the computer, and can then initiate a series of keystrokes which open a command window and issue commands to download malware.

Dridex, also known as Bugat and Cridex, is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.

<span class="mw-page-title-main">Locky</span>

Locky is ransomware malware released in 2016. It is delivered by email with an attached Microsoft Word document that contains malicious macros. When the user opens the document, it appears to be full of gibberish, and includes the phrase "Enable macro if data encoding is incorrect," a social engineering technique. If the user does enable macros, they save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files that match particular extensions. Filenames are converted to a unique 16 letter and number combination. Initially, only the .locky file extension was used for these encrypted files. Subsequently, other file extensions have been used, including .zepto, .odin, .aesir, .thor, and .zzzzz. After encryption, a message instructs them to download the Tor browser and visit a specific criminal-operated Web site for further information.

<span class="mw-page-title-main">MalwareMustDie</span> Whitehat security research workgroup

MalwareMustDie, NPO is a whitehat security research workgroup that was launched in August 2012. MalwareMustDie is a registered nonprofit organization as a medium for IT professionals and security researchers gathered to form a work flow to reduce malware infection in the internet. The group is known for their malware analysis blog. They have a list of Linux malware research and botnet analysis that they have completed. The team communicates information about malware in general and advocates for better detection for Linux malware.

EternalBlue is computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that, at the time, allowed users to gain access to any number of computers connected to a network. The NSA had known about this vulnerability for several years but had not disclosed it to Microsoft yet, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

Emotet is a malware strain and a cybercrime operation believed to be based in Ukraine. The malware, also known as Heodo, was first detected in 2014 and deemed one of the most prevalent threats of the decade. In 2021, the servers used for Emotet were disrupted through global police action in Germany and Ukraine and brought under the control of law enforcement.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

FIN7, also called Carbon Spider, ELBRUS, or Sangria Tempest, is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. FIN7 is also associated with GOLD NIAGARA, ITG14, ALPHV and BlackCat.

References

  1. "Advisory: Trickbot". www.ncsc.gov.uk. Retrieved 2020-10-13.
  2. 1 2 "Trickbot disrupted". Microsoft Security. 2020-10-12. Retrieved 2020-10-13.
  3. Gatlan, Sergiu (11 November 2019). "TrickBot Malware Uses Fake Sexual Harassment Complaints as Bait". BleepingComputer.
  4. 1 2 "Articles tagged with TrickBot". Bleeping Computer. Retrieved 29 October 2020. A list of Bleeping Computer articles about TrickBot, with descriptive titles, starting in 2016
  5. "Is It Impossible To Take Down TrickBot Permanently?". The Hack Report. 2021-02-02. Retrieved 2021-04-14.
  6. Gatlan, Sergiu (28 September 2020). "UHS hospitals hit by reported country-wide Ryuk ransomware attack". BleepingComputer.
  7. Staff and agencies (29 October 2020). "US hospital systems facing 'imminent' threat of cyber attacks, FBI warns". The Guardian.
  8. 1 2 3 "Trickbot Gang Arrest – Story of Alla Witte". Hold Security. Archived from the original on 2021-06-08. Retrieved 2 July 2022.
  9. Seals, Tara (June 8, 2021). "TrickBot Coder Faces Decades in Prison". threat post. Archived from the original on June 8, 2021. Retrieved 2 July 2022.
  10. "Latvian National Charged for Alleged Role in Transnational Cybercrime Organization". justice.gov. 4 June 2021. Archived from the original on 2021-06-08.
  11. 1 2 Ilascu, Ionut (12 October 2020). "TrickBot botnet targeted in takedown operations, little impact seen". BleepingComputer.
  12. Greene, Jay; Nakashima, Ellen. "Microsoft seeks to disrupt Russian criminal botnet it fears could seek to sow confusion in the presidential election". Washington Post. ISSN   0190-8286 . Retrieved 2020-10-13.
  13. Ilascu, Ionut (20 October 2020). "TrickBot malware under siege from all sides, and it's working". BleepingComputer.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.