TrickBot infected machines related to customers of high-profile companies

Trickbot affected at least 140,000 machines related to Amazon, PayPal, Bank of America, and other 60 finance and tech giants

malware that was originally a banking trojan now can avoid detection and steal credentials or sensitive data Trickbot released attacks targeting customers of various top companies with the aim of obtaining sensitive information including credentials. Trickbot targets companies like cryptocurrency firms, technology companies in the U.S mainly.^[1] The malware is a sophisticated virus that has been improved with anti-analysis features.^[2] This versatile malware has more than 20 modules and can be downloaded, executed easily on demand.^[3]

Trickbot’s numbers have been staggering. We’ve documented over 140,000 machines targeting the customers of some of the biggest and most reputable companies in the world.

Back in 2020, it was revealed that 90% of the operations have been disabled, but creators bounced back and still attack users with sophisticated attacks. It was revealed recently that Trickbot malware now targets customers of major institutions with the phishing attacks and using web injections.

The botnet has been improved, and advanced tactics added to the arsenal help threat actors avoid detection, use web-injects modules, steal banking credentials, data. The treat manages to leverage anti-deobfuscation techniques to crash pages online and scrutinize the source code.

20 different modules Trickbot can use

The threat was first developed as a banking trojan and was improved over time to become a wide-ranging credential-stealer and threat used to gain initial access. It can be used to initiate the infection, so second-stage malware like ransomware can get deployed then.^[4]

These campaigns show the main use of three models out of the arsenal that Trickbot has. It can prevent reverse-engineering, analysis, and inject various modules to compromise browsing sessions, other processes. Trickbot also can propagate itself by using the tabDLL module that steals users' credentials and delivers malware via SMBv1 network share when the EternalRomance exploit is used.^[5]

Also, a botnet can steal various information. It siphons passwords from web browsers and other applications like Outlook, OpenVPN, TeamViewer. This is the threat that focuses on sensitive data stealing, and operators are experienced with the development and distribution on a high level.

High-profile targets in info-stealing campaigns

According to recent reports, Trickbot malware has a goal to attack customers that are related to companies particularly picked for the attacks. Those institutions include Amazon, American Express, JPMorgan Chase, Microsft, navy Federal Credit Union, RBC, PayPal, Yahoo, and many others. Obtaining information from these companies can be very helpful in later campaigns, and data used in additional attacks cause great damage.

Threat manages to divert people to malicious pages that seem identical to legitimate services or pages created by the upper mentioned companies, so people do not hesitate and use their login details. Even though it is continuously monitored malware, Trickbot remains one of the most dangerous botnets, and malware is still a sophisticated threat. Even though developers stop the operations permanently, the code will most likely find its use in the future.

The takedown was well covered, and infrastructure stopped in October 2020, but the campaign shows that operations are fully renewed again. The threat is usually spread via emails and using known vulnerabilities. The malware is not affecting those major companies, but the popularity leads to great numbers of affected users and huge numbers of financial losses.