TrickBot Malware Targeted Customers of 60 High-Profile Companies Since 2020

2022-02-17 19:20

The notorious TrickBot malware is targeting customers of 60 financial and technology companies, including cryptocurrency firms, primarily located in the U.S., even as its operators have updated the botnet with new anti-analysis features.

"TrickBot is a sophisticated and versatile malware with more than 20 modules that can be downloaded and executed on demand," Check Point researchers Aliaksandr Trafimchuk and Raman Ladutska said in a report published today.

Another of TrickBot's key strengths is its ability to propagate itself, which it achieves by using the "TabDLL" module to steal the users' credentials and spread the malware via SMBv1 network share using the EternalRomance exploit.

A third crucial module deployed as part of TrickBot infections is "Pwgrabc," a credential stealer designed to siphon passwords from web browsers and a number of other applications such as Outlook, Filezilla, WinSCP, RDP, Putty, OpenSSH, OpenVPN, and TeamViewer.

"TrickBot attacks high-profile victims to steal the credentials and provide its operators access to the portals with sensitive data where they can cause greater damage," the researchers said, adding "The operators behind the infrastructure are very experienced with malware development on a high level as well."

The findings also come as the TrickBot gang was disclosed as employing metaprogramming methods for its Bazar family of malware to conceal their code and protect against reverse engineering with the ultimate goal of evading signature-based detection.

News URL

https://thehackernews.com/2022/02/trickbot-malware-targeted-customers-of.html

#malware #trickbot