Search This Blog

Showing posts with label TrickBot. Show all posts

DOJ Charges Latvian National for Helping Develop the Trickbot Malware

 

The US Department of Justice has charged a Latvian woman for her alleged role in developing the Trickbot malware, which was responsible for infecting millions of computers, targeting schools, hospitals, public utilities, and governments. 

After being arrested on February 6 in Miami, Florida, Alla Witte (aka Max) was charged with 19 counts of a 47-count indictment. 

The DOJ said in a press release, Witte created the code used by Trickbot malware to control, launch, and manage ransomware payments. Witte is also said to have given the Trickbot Group the code required to track and monitor approved malware users and the tools and protocols needed to store login credentials obtained from victims' networks. 

The FBI's Cleveland Office and the Department of Justice's Ransomware and Digital Extortion Task Force investigated the case, which was formed to combat the rising number of ransomware and digital extortion attacks. 

FBI special agent Eric B. Smith said. In a statement, "Witte and her associates are accused of infecting tens of millions of computers worldwide, in an effort to steal financial information to ultimately siphon off millions of dollars through compromised computer systems.

Trickbot is a malware variant that was first discovered in October 2016 as a modular banking trojan and has subsequently been updated with new modules and capabilities. 

Microsoft and many partners reported on October 12 that they had taken down certain Trickbot C2s. Before the presidential election, the US Cyber Command apparently tried to destroy the botnet by sending infected devices a configuration file that cut them off from the botnet's C2 servers. Despite these concerted attacks on TrickBot's infrastructure, the TrickBot gang's botnet remains alive, and new malware builds are continually being released. 

The TrickBot gang is renowned for spreading the ransomware Ryuk and Conti onto the networks of valuable business targets. According to Deputy Attorney General Lisa O. Monaco, Trickbot penetrated millions of victim computers throughout the world, harvesting banking information and delivering ransomware. 

"The Trickbot malware was designed to steal the personal and financial information of millions of people around the world, thereby causing extensive financial harm and inflicting significant damage to critical infrastructure within the United States and abroad," Acting US Attorney Bridget M. Brennan of the Northern District of Ohio added.

BazaLoader Malware is Being Distributed by Hackers Using a Bogus Streaming Website

 

Proofpoint identified the phishing attempt in early May, which entailed hackers creating a phoney movie-streaming website named BravoMovies and stocking it with phoney movie posters and other materials to make it appear real to unwary visitors. It has nothing to offer for download other than BazaLoader malware, despite its pretty pictures and fun-sounding titles. BazaLoader is a malware loader that is used to spread ransomware and other types of malware, as well as steal sensitive data from infected computers. 

"BazaLoader is a downloader written in C++ that is used to download and execute additional modules. Proofpoint first observed BazaLoader in April 2020. It is currently used by multiple threat actors and frequently serves as a loader for disruptive malware including Ryuk and Conti ransomware. Proofpoint assesses with high confidence there is a strong overlap between the distribution and post-exploitation activity of BazaLoader and threat actors behind The Trick malware, also known as Trickbot," the security firm said. 

The BravoMovies campaign employs a complex infection chain similar to that employed by BazaLoader affiliates, who entice their victims to jump through a series of hurdles in order to activate malware payloads. It starts with an email informing recipients that their credit cards would be debited until they cancel their subscription to the service, which they never agreed to. 

The email includes a phone number for a call center with live people on the other end of the line, ready to send consumers to a website where they may purportedly cancel the phoney movie-streaming subscription. Those who fall for the trick, on the other hand, are directed to download a boobytrapped Excel spreadsheet that will trigger macros that will download BazaLoader. 

The call-center staff advises their customers to the BravoMovies website, where they should go to the Frequently Asked Questions page and unsubscribe using the "Subscription" page. They'll then be directed to download an Excel spreadsheet. If BazaLoader is enabled, the macros on the Excel sheet will download it. The second-stage payload in this campaign has yet to be discovered, according to Proofpoint experts. 

Proofpoint researchers first noticed the use of BazaLoader in February 2021, when a pre-Day Valentine's malware assault supplied lures to bogus flower and lingerie stores. It's also been spotted in a campaign for subscription pharmaceutical services.

Everthing You Need to Know About Ongoing TrickBot Attacks, US Agencies Warn

 

The Cybersecurity and Infrastructure Security Agency (CISA) in unison with the Federal Bureau of Investigation (FBI) published an advisory on Wednesday to warn organizations of ongoing TrickBot attacks despite in October multiple security firms dismantled their C2 infrastructure in a joint operation.

In their joint advisory, two agencies disclosed that a sophisticated group of cybercrime actors is leveraging a traffic infringement phishing scheme to lure victims into installing the Trickbot malware.

TrickBot was initially observed in 2016, it is believed to be designed by the threat actors behind the Dyre Trojan. TrickBot has become one of the most prevalent families out there, entrapping machines into a botnet that was being offered under a malware-as-a-service model to both nation-states and cybercrime groups.

“The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spear phishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot,” the joint advisory reads.

In October 2020, Microsoft revealed that it had disrupted the infrastructure behind TrickBot, taking most of it down. However, the malware survived the takedown attempt and came back stronger, with several new updates that protected against similar attempts. The recent attacks come as a confirmation to the same, that TrickBot’s operators were able to restore their malicious operations. 

“CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s command and control (C2) server to download Trickbot to the victim’s system,” the advisory further stated. 

Trickbot- A Banking Trojan Returns With Latest Phishing Campaigns and Attacks

 

Trickbot, a banking malware has resurged again with new phishing campaigns and attacks after the collaboration of cybersecurity and technology companies disrupted the Trickbot malware in October last year. Trickbot malware evolved into a highly favorable form of malware among threat actors after starting life as a banking trojan.

Trickbot is a banking malware that sends victims banking-related website pages that almost look identical to the original thing. Trickbot is a replication of older malware Dyre/Dyreza and is also dispersed via malicious spam including HTML attachments. These HTML files download a Word document posing as a login form, in reality, it is embedded with a malicious macro that restores Trickbot from the threat actors’ command and control (C&C) server when permitted.

Microsoft targeted the infamous Trickbot malware last year due to its ability to possess ransomware that could pose a threat to the websites that display election information or to third party software dealers that supply resources to election officials. Trickbot can steal information, keys, and credentials and give backdoor access for transporting other malware, including ransomware.

Threat actors are specifically targeting legal and insurance companies in North America and sending phishing emails to the potential targets and tricking them to click on a link that will transfer them to a server that downloads a malicious payload.

Vinay Pidathala, director of security research at Menlo Security stated that “where there’s a will, there’s a way. That proverb certainly holds true for the bad actors behind Trickbot operations. While Microsoft and its partners’ actions were commendable and Trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment”.

UK’s National Cyber Security Centre (NCSC) issued the advisory that companies should patch the security vulnerabilities and should run on the latest versions of operating system and software.

US Security Department Issue Potential Trickbot and Malware Attack Warning to Health Department

 

The United States Healthcare providers have been alerted to vary of Trickbot and ransomware attacks by their Homeland Security department.
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services of US-issued out a warning of "imminent cybercrime threat to US hospitals and healthcare providers" regarding an infection from Trickbot and ransomware. 

Already heavy with the burden of coronavirus, the US health department now faces another cybersecurity threat from Trickbot, one of the largest botnets worldwide, and Ryuk Ransomware, a lethal and savage malware on its own. Even Microsoft recently took legal action against Trickbots earlier this month.

Earlier, Trickbot was a banking trojan attacking users via Webfakes (where it redirects the user to a fake webpage made by the attackers instead of the original banking webpage; accessing the user's login and other credentials) and through WebInjections (wherewith the website that the user is trying to access, some malware injections will be initiated and downloaded). Now with a million infections, Trickbot has evolved into a full-fledged malware.

 "As part of the new Anchor toolset, Trickbot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling," CISA said in the alert. 

Using anchor DNS, lets the malware to bypass the legit DNS and with it bypassing network defense security and evade recognition.

Other countries like the UK and Australia also predict a potential attack by Ryuke or Trickbot. Australian Cyber Security Centre (ACSC) warned Australian companies about Emotet malware, which is used contemporaneity with Trickbot. "Upon infection of a machine, Emotet is known to spread within a network by brute-forcing user credentials and writing to shared drives. Emotet often downloads secondary malware onto infected machines to achieve this, most frequently Trickbot," the ACSC wrote in a warning.

TrickBot accidentally issues infection warning to Victims


Advanced Intel’s Vitali Kremez traced a mistake by TrickBot malware, wherein it mistakingly left warning messages on the victim's machine saying that they have been attacked.


TrickBot is a notorious malware usually distributed via spam mails; after infecting the system it downloads various files and modules to run and seize domain's Active Directory Services database, harvest browser passwords, and cookies, steal OpenSSH keys. It is also known to often give access to ransomware operators like Ryuk and Conti on the infected network.

This mistake by TrickBot occurred during the testing of their password-stealing "grabber.dll", this particular strain steals passwords, browser credentials, cookies from browsers like Google, Internet Explorer and Microsoft Edge. During the testing of this grabber.dll module, this particular warning message was issued on the attacked system revealing that some information has been gathered from the browser defeating the purpose.

Warning
"You see this message because the program named grabber gathered some information from your browser. If you do not know what is happening it is the time to start worrying. Please, ask your system administrator for details."


Kremez believes these modules are from TrickBot as they are coded in their fashion and that they were testing the new model and forgot to remove the warning while releasing. 

This isn't TrickBot's first stunt, rather this malware has made headlines quite a few times in 2020 itself. In mid-June, TrickBot ran a fake Black Lives Matter email campaign that installed the malware. In another case, Conti and Ryuk ransomware were also found to be running TrickBot structure 

 To the victims who received this warning message, Kremez advices them to disconnect their machine from the network immediately and then perform a virus scan. Once the malicious malware is eliminated they should change all the login credentials that were saved on the browser.

BazarBackdoor: A Malware similar to Trickbot, targets Corporates


According to cybersecurity experts, a new phishing campaign is allowing malware backdoor entry. The malware which is said to be created by hacking group Trickbot will enable hackers to jeopardize and take control of an organization's network. It is a necessary measure to have a back door for hackers to gain entry access and control the company's network in sophisticated network attacks. It is required in the following cyberattacks- corporate espionage, data extraction attacks, specified ransomware attacks.


According to several reports, the attack was first discovered two weeks ago. The malware is called "BazarBackdoor" or simply "backdoor" by the cybersecurity experts. The malware serves as a tool kit for hackers to gain access to an enterprise's network. Trickbot is said to be the creator of this malware because of BazarBackdoor sharing similar coding, cryptos, and designs.

About BazarBackdoor 

The attacks first start in the form of phishing campaigns that try to lure victims through click baits like 'coronavirus relief funds,' 'customer complaints,' 'COVID reports' or merely a list of downsizing reports that are directly linked to google docs. The hackers, unlike other phishing campaigns, are using creative techniques to lure the users to different landing pages like fake customer complaints page or fake COVID fund relief page. The landing pages either pretend to be a PDF, Word, or Excel document, which can't be viewed appropriately. Hence, a link is provided to the users to view the document appropriately. When the users click the link, the documents get downloaded either in word or PDF format with a 'preview' title. Windows don't have a default file extension; therefore, the user thinks that these files are original. Thus, doing this enables the backdoor entry for the malware.

Attack linked to Trickbot 

According to cybersecurity experts, the malware targets explicitly companies and corporate enterprises. It is likely to be developed by the same hacking group responsible for creating another malware named Trickbot. Trickbot and BazarBackdoor share similar cryptos, and both use the same email patterns to launch their attacks. As a precaution, corporate companies are suggested to stay alert and ask their employees not to open any unknown link sent via email.

Windows 10 Users Beware! TrickBots' Prevalence And Conveyance Escalates in Devices



Reports mention that recently attackers were found exploiting the latest version of the “Remote Desktop ActiveX” which was developed for Windows 10.

Sources say that similar to what many others are doing, the exploitation could cause the automatic execution of the “OSTAP” JavaScript downloaded on the ta
rget’s systems.

Per analyses of researchers, the ActiveX is employed to automatically execute a mal macro right after the target enables a document. The majority of the documents contained images to encourage people to enable the content.

Per reports, the catch was that the image contained a hidden ActiveX control below it; the OSTAP downloader was disguised in white text to make it seemingly invisible to eyes and readable for machines.

Trickbot attackers misuse people’s tendencies of not updating their software with the latest updates to protect the systems.

Trickbots happen to be among the most advanced versions of the malware structures. The number is increasing and so is the threat to systems with Windows 10. Not of late, researchers dug out more documents that execute the OSTAP JavaScript downloader.

It was also found out that the groups of tricksters that were exploiting the ActiveX control were not the only ones. Other groups were also into misusing them along with a few others.

According to sources, the victim documents had the following nomenclature-“i<7-9 arbitrary="" digits="">.doc”. Almost every document had in it an image that would convince the enablers to open it. What the opener wouldn’t know is that below the image is a hidden ActiveX control. The OSTAP JavaScript downloader would be disguised as white text which only the machines could read.

Per sources, the analysis of the ActiveX code exposed the use of the “MsRdpClient10NotSafeForScripting” class. The script is crafted in a way that the server field is left empty to cause an error which would aid the attackers further on.

According to researchers, the technique that kicks the ‘macro’ on is, “_OnDisconnected”. This will execute the main function, first. It doesn’t get executed instantly for it takes time to resolve the DNS to an empty string only to return an error.

The OSTAP’s execution would depend on the “error number matches” exactly to “disconnectReasonDNSLookupFailed”. The OSTAP wscript directive is relative to the error number computation.

The execution of the wscript would work with its very content. This trick is quite an old one in the book. Microsoft’s BAT would ignore the ‘comments’, along with the content and everything that comes with the syntax, while the execution’s happening.

Once the JavaScript is edited per the attackers’ needs, the obfuscation scheme gets repeated. Updating systems doesn’t work every time but it’s a pre-requisite anyway.

A defense mechanism is paramount in cases of OSTAP and the likes of it. With the technology that’s prospering with every passing minute, so is the number of attack mechanisms and attackers. Hence keep systems updates and a tight security structure in place.