Check Point Research (CPR) has discovered new and sophisticated details of the implementation of Trickbot.
A well-known banking Trojan, Trickbot steals and compromises the data of its victims, targeting high-profile victims.
CPR has counted over 140 000 machines infected by Trickbot since November 2020, many of which are customers of well-known corporations, such as Amazon, Microsoft, Google and PayPal.
In total, CPR documented 60 corporations whose customers have fallen victim to Trickbot over the past 14 months.
Key implementation details of Trickbot include:
* The malware is very selective in how it chooses its targets.
* Various tricks – including anti-analysis and anti-Deobfuscation – are implemented inside the modules show the authors’ highly technical background.
* Trickbots infrastructure can be utilized by various malware families to cause more damage on infected machines.
* Sophisticated and versatile malware with more than 20 modules that can be downloaded and executed on demand.
How Trickbot works:
* Threat actors receive a database of stolen emails and send malicious documents to the chosen addresses.
* The user downloads and opens such a document, allowing macro execution in the process.
* The first stage of malware is executed, and the main Trickbot payload is downloaded.
* The main Trickbot payload is executed and establishes its persistence on the infected machine.
* Auxiliary Trickbot modules can be uploaded to the infected machine on demand by the threat actors, the functionality of such modules may vary: it may be spreading via compromised corporate network, stealing corporate credentials, grabbing login details to banking sites, etc.
Scope of Impact
Below is a heat-map with the percentage of organizations that were affected by Trickbot in each country according to our data of telemetry.
Alexander Chailytko, cyber security, research and innovation manager at Check Point Software Technologies, says: “Trickbot’s numbers have been staggering. We’ve documented over 140 00 machines targeting the customers of some of the biggest and most reputable companies in the world.
“We went on to observe that the Trickbot authors have the skills to approach malware development from a very low-level and pay attention to small details.
“Trickbot attacks high-profile victims to steal the credentials and provide its operators access to the portals with sensitive data where they can cause even more damage. At the same time, we know that the operators behind the infrastructure are very experienced with malware development on a high-level as well.
“The combination of these two factors is what allows Trickbot to remain a dangerous threat for more than five years already. I strongly urge people to only open documents from trusted sources and to use different passwords on different web-sites.”