A malware that has existed since 2016 has been noticed once more; this time, the researchers who discovered the malware said that it has evolved to become more sophisticated and more infectious than the previous versions of it.
According to Shaul Vilkomir-Preisman, a cybersecurity researcher from DeepInstinct, with a supporting study from Tom Nipravski, a new variant of the Trickbot malware has been discovered and is already harvesting more than 250 million email addresses and is still wreaking havoc all over the world.
“Ever since its discovery in 2016, TrickBot has remained a continuously active and very adaptive actor in the cybercrime threat landscape. What was once a malware family focused on financial data theft is now a robust, elaborate, and sophisticated threat, multi-purpose for various types of malicious activity,” wrote Vilkomir-Preisman on a report.
“Recent findings from a currently active and ongoing TrickBot campaign, which features extensive use of signed malware binaries, indicate that it now has a new variant. Alongside its recent addition of a cookie stealing module, it has gained a new partner in crime — a malicious email based infection and distribution module that shares its code signing certificates.”
US and UK government agencies are targets
The investigation conducted by the researchers located several infection servers from which the malware is downloaded onto the victim machines, as well as, command and control servers. From those servers, the researchers were also able to find a database containing 250 million e-mail accounts by the operators of the Trickbot campaign.
The database could be a list of potential victims and targets for the operators to run more sophisticated attack against. They raised the alarm upon surveying the database since it also contains emails from high-value targets like government agencies and departments in the US and the UK.
These include many US Government departments and agencies, such as:
- US Dept. of Justice
- US Dept. of Homeland Security
- US Dept. of State
- US Bureau of Prisons
- US Social Security Administration
- US Bureau of Alcohol, Tobacco, and Firearms
- US Postal Service
- US Dept. of Housing and Urban Development
- US Internal Revenue Service
- US Federal Aviation Administration
- US House of Representatives
- US National Aeronautics and Space Administration (NASA)
- US Dept. of Transportation
Several UK government organizations were also found:
- UK Foreign and Commonwealth Office
- UK Ministry of Defense
- UK Public Health Office
- Multiple UK County Councils
- Other organizations found include universities in the UK and Canada and several provincial agencies and Governments in Canada.
The investigation was prompted when the researchers detected and prevented a TrickBooster infection attempt using a signed malware binary at a customer environment in the US two weeks ago.
“Seeing a signed malware binary delivered to a customer environment prompted us to investigate further. We analyzed the malware sample and found swaths of PowerShell code in its memory. Analysis of this PowerShell code immediately led us to the conclusion that we are dealing with a mail-bot,” they wrote.
TrickBot plus TrickBooster is a potent campaign
The researchers highlight the sophistication of this new malware operation saying that the addition of a TrickBooster makes the impact of the TrickBot more potent and effective in delivering malware to targeted victims. This is not only due to the greatly increased spreading and information harvesting ability but also due to the cover-up of the ‘implant’ left behind.
“This case and this significant finding highlight the success and sophistication of TrickBot, an already very accomplished piece of malware. For a threat actor in the cybercrime sphere, collaborating with a spam malware can bring many possible advantages. Chief among them is the increased ability to distribute your own malware, as spam-bots of all sorts, have been and will likely continue to be, a backbone of malware distribution in general,” the report said.
“This clean-up is thorough and involves deleting the original infecting executable file, which is a very common practice employed by many malware families. The result is that it is missed by nearly all scanning security vendors, an impressive stealth factor that is much desired among malware operators.”