The latest Trickbot malware proved that cybercriminals are masters of agile development. As the enterprise upgrades systems to protect against one threat, fraudsters change their tactics to evade detection. New techniques are always being used to thwart detection tools. Phishing sites, for example, will often use evasion tactics to avoid detection by scanners, users, and even security analysts. Techniques vary and include using HTTPS to make users believe the site is safe or using images to display text, as well as blocking security researchers from locating a phishing site to take it down.
Malware that underpins many phishing campaigns, is also often given its own makeover: This time it is the infamous banking trojan malware, TrickBot.
TrickBot is a trojan malware that was originally designed to target bank users. TrickBot is fairly new in the life cycle of malware, first being spotted in the wild in 2016. Since then, the malware has infected around 1 million computers worldwide. The TrickBot malware is designed to target both individuals and businesses, focusing on stealing credentials to access online bank accounts or to steal other personal information that is then used to commit identity theft and other fraud. More recently, TrickBot has been associated with the distribution of ransomware, the malware acting as a ‘loader’ to facilitate infection.
TrickBot has many tricks up its malware sleeves and it should be considered a highly versatile malware system, not just a one-shot malicious executable. The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) recently published a warning about an imminent attack against healthcare. The attack metrics involved TrickBot being used to ‘load’ the system, opening the door for more malware by creating a ‘command and control’ center, used by fraudsters to infect a network.
TrickBot is a tricky customer. In an effort to prevent TrickBot malware from interrupting or impacting the US elections, Microsoft went for the motherload and requested a court order to shut down the servers behind TrickBot. In a notice published on October 12th, 2020, Microsoft said they had achieved this:
“...through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world. We have now cut off key infrastructure so those operating TrickBot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.”
However, now the elections are over TrickBot has arisen from the ashes anew…
The TrickBot puppet masters are nothing if not reactive. To prevent further takedowns, they have built into the design of the malware, some new features. On November 3rd and 18th, respectively, TrickBot versions 2000016 and 100003 were rolled out; the seemingly out of sync numbering being only an indication of moving to an older versioning system.
Researchers at Bitdefender found new life in the old malware, including:
A new Command and Control (C2) infrastructure: TrickBot now uses compromised Mikrotik routers as the basis of its C2 communications. A search by Shodan, a system that looks for connected devices, found 1.7 million of these routers, many of which can be compromised using stolen credentials and other vulnerabilities. The latest TrickBot version also has a fallback option if a C&C server is not working.
Obfuscation is the name of the game: One of the tricks that TrickBot and some other malware use are to hide from scanners and even human analysts by using obfuscation techniques. An analysis of the latest version of TrickBot by Huntress has found that TrickBot hackers have obfuscated the batch file used to deliver the malware payload by using seemingly randomly placed letters and other characters. They are believed to have done this to make it difficult for automated scanning software to detect evidence of the malware. Huntress goes on to say that, although it may look like the script to deliver the malware is nonsensical, it is not. There is enough information for the Windows cmd [.] exe batch file processor to interpret and execute the malware.
The Huntress analyst states that:
“There is no denying that having automation in place really improves the security posture and defense of an organization… but automated tools, as with everything, should be just one layer of defense.”
According to Bitdefender, the latest version of TrickBot has been used in attacks in the USA, Malaysia, Romania, Russia, and Malta. With improved obfuscation and working command and control servers, this malware will likely continue to infect computers across the world.
One noteworthy thought from the latest TrickBot evasion techniques is that cybersecurity prevention is not an on-off switch. Instead, security initiatives need to use multiple gates; the first gate may stop the vast majority of cyber-threats, but subsequent gates, using more advanced techniques, are needed to stop threats that evade detection. Advanced techniques that use smart technologies, including machine learning and behavioral analysis are needed to block modern malware. Machine Learning-based real-time threat detection and monitoring provide the automation needed to discover massive levels of threats. When coupled with human-supervised backup, this powerful combination delivers the gates needed to spot malware masquerading as something legitimate or obfuscated from view.
This intelligent, defense-in-depth approach is increasingly needed as cybercriminals up their game. As 2020 turns into 2021, the hackers behind TrickBot and other malicious software will no doubt have plans to enact even more attacks. But the enterprise can turn the tables on the TrickBot hackers by using its own box of tricks in the form of smart cybersecurity automation tools.
WebTitan Cloud is a DNS based web filtering solution that provides complete protection from online threats such as malware, ransomware and phishing attacks. If you are looking for the best web security for your organization contact the TitanHQ team today for further information and a product demonstration.
Sign-up for email updates...