Security News
"The new campaign sports longtime Emotet tactics: emails carrying links or documents w/ highly obfuscated malicious macros that run a PowerShell script to download the payload from 5 download links," according to Microsoft Security Intelligence researchers on Twitter. The spam emails contain either a URL or an attachment, and purport to be sending a document in reply to existing email threads - a known trick of Emotet.
TrickBot, the infamous info-stealing trojan, has been trying out a test module that accidentally pops up fraud alerts to victims. A sandboxed sample of the trojan, obtained by MalwareHunterTeam and analyzed by Advanced Intelligence's Vitali Kremez, turns out to contain a new module, called "Module 0.6.8," that carries the file name "Grabber.dll." It works to log browser activity and steal passwords used in Google Chrome, Internet Explorer, Mozilla Firefox and Microsoft Edge, and it sniffs out browser cookies - just like other grabber modules used by TrickBot.
Cyberattackers are seizing upon the 24-hour news cycle again in order to capitalize on the current zeitgeist - this time with a fake Black Lives Matter malspam campaign that distributes the TrickBot malware. The messages use a grammatically challenged subject line, "Vote anonymous about Black Lives Matter," or "Leave a review confidentially about Black Lives Matter," and purport to contain a survey document.
A new module for the infamous trojan known as TrickBot has been deployed: A stealthy backdoor that researchers call "BazarBackdoor." Panda Security describes BazarBackdoor as "Enterprise-grade malware," and they linked it back to TrickBot because both pieces of malware share parts of the same code, along with delivery and operation methods.
Trickbot infections of Domain Controller servers has become more difficult to detect due to a new propagation module that makes the malware run from memory, Palo Alto Networks researchers have found. Trickbot is also often dropped by Emotet as a secondary payload or is delivered via booby-trapped email attachments, but its lateral propagation mechanism is a big reason why it's become the bane of many a company's existence.
Threat actors are using people's interest in the Department of Labor's Family and Medical Leave Act to spread what appears to be the TrickBot trojan in a new spam campaign that security researchers discovered recently. "Users infected with the TrickBot Trojan will see their device become part of a botnet that can allow attackers to gain complete control of the device," Via, along with IBM X-Force co-authors David Bryant and Limor Kessem, wrote in the post.
Researchers say, two cybercriminal groups, FIN6 and the operators of the TrickBot malware, have paired up together to target several organizations with TrickBot's malware framework called "Anchor." "That said, this development places more enterprises at risk of an attack from ITG08, particularly those processing credit card data, by enabling the group to access networks infected by the TrickBot Trojan. The attacks are likely initiated through malicious spam campaigns, which is how TrickBot is typically delivered. Once an enterprise is infected with the TrickBot Trojan, we expect that access, along with use of the Anchor and PowerTrick malware, are then sold to ITG08, which will then take over the intrusion into the victim network."
The TrickBot trojan has a new trick up its sleeve for bypassing a new kind of two-factor authentication security method used by banks - by fooling its victims into downloading a malicious Android app. Researchers first discovered the mobile app after a September 2019 tweet by CERT-Bund flagging TrickBot using man-in-the-browser techniques.
The malware authors behind TrickBot banking Trojan have developed a new Android app that can intercept one-time authorization codes sent to Internet banking customers via SMS or relatively more secure push notifications, and complete fraudulent transactions. The name TrickMo is a direct reference to a similar kind of Android banking malware called ZitMo that was developed by Zeus cybercriminal gang in 2011 to defeat SMS-based two-factor authentication.
In Red Canary's 2020 Threat Detection Report, the company analyzed six million investigative leads from January 2019 to December 2019, honing in on the most prevalent cyberattack techniques faced by organizations worldwide. Malware strains like TrickBot and Emotet were widespread according to threat detection and response specialists at Red Canary.