Security News

Subway UK has disclosed that a hacked system used for marketing campaigns is responsible for the malware-laden phishing emails sent to customers yesterday. Starting yesterday, Subway UK customers received strange emails from 'Subcard' about a Subway order that was placed.

Subway patrons in the UK received suspicious emails this morning and infosec researchers fear this is linked to the theft of customer details - and a Trickbot malware campaign. "I've just had an email purporting to be from Subway and sent to an address used only for Subway," Reg reader Alan told us.

A massive phishing campaign pretending to be a Subway order confirmation is underway distributing the notorious TrickBot malware. TrickBot is a trojan malware infection commonly distributed through phishing campaigns or installed by other malware.

According to collaborative research from Advanced Intelligence and Eclypsium, the additional TrickBot functionality, which they call "TrickBoot," checks devices for known vulnerabilities that can allow attackers to read, write or erase the UEFI/BIOS firmware of a device. In October, a rare firmware bootkit was spotted being used to target diplomats and members of non-governmental organizations from Africa, Asia and Europe.

TrickBot has been updated with functionality that allows it to scan the UEFI/BIOS firmware of the targeted system for vulnerabilities, security researchers have discovered. As Eclypsium points out, firmware-level malware has a strategic importance: attackers can make sure their code runs first and is difficult to detect, and can remain hidden for very long periods of time, until the system's firmware or hard drive are replaced.

TrickBot malware developers have created a new module that probes for UEFI vulnerabilities, demonstrating the actor's effort to take attacks at a level that would give them ultimate control over infected machines. TrickBoot acts as a reconnaissance tool at this stage, checking for vulnerabilities in the UEFI firmware of the infected machine.

TrickBot, one of the most notorious and adaptable malware botnets in the world, is expanding its toolset to set its sights on firmware vulnerabilities to potentially deploy bootkits and take complete control of an infected system. The new functionality, dubbed "TrickBoot" by Advanced Intelligence and Eclypsium, makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to inject malicious code in the UEFI/BIOS firmware of a device, granting the attackers an effective mechanism of persistent malware storage.

Following a takedown attempt in October, the TrickBot malware has received various improvements that are designed to make it more resilient. On October 12, Microsoft announced that, together with several partners, it managed to legally disable existing TrickBot infrastructure and prevent operators from registering additional command and control domains.

One such capability is its use of an obfuscated batch script launcher to jumpstart malicious executables. TrickBot deploys ransomware via obfuscated BAT scripts.

The TrickBot cybercrime gang has released the hundredth version of the TrickBot malware with additional features to evade detection. TrickBot is a malware infection commonly installed via malicious phishing emails or other malware.