TrickBot malware targets users financial information and acts as a dropper for other malware and can be leveraged to steal banking information, conduct system and network reconnaissance, harvest credentials and achieve network propagation, according to a security primer released by the Multi-State Information Sharing and Analysis Center (MS-ISAC).
“The malware authors are continuously releasing new modules and versions of TrickBot,” The Center for Internet Security said in a whitepaper. “TrickBot is disseminated via malspam campaigns. These campaigns send unsolicited emails that direct users to download malware from malicious websites or trick the user into opening malware through an attachment. TrickBot is also dropped as a secondary payload by other malware, most notably by Emotet.”
The modular banking trojan was recently used to steal credentials for remote computer access with a newer version targeting passwords for Virtual Network Computing (VCN), PuTTY and Remote Desktop Protocol (RDP).
Detected as TrojanSpy.Win32.TRICKBOT.AZ and Trojan.Win32.MERETAM.ADnew, the new TrickBot was discovered this past January as part of a spam campaign that distributes emails disguised as tax incentive notifications from Deloitte. Attached to the emails are a malicious Microsoft Excel spreadsheet, featuring with a malicious macro that, upon activation, downloads the malicious payload.
The Center for Internet Security initiative encourages users and admins to review use antivirus programs, disable macros and practice overall good cyber hygiene.