US CISA, FBI Warn Of Trickbot Phishing Campaign

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are warning of a “sophisticated” phishing campaign that aims to install the the dangerous Trickbot malware on targets’ systems.

The campaign, largely affecting North American organisations, makes use of tailored emails that claim to contain proof of a traffic violation, the agencies said.

Trickbot, first identified in 2016, is one of the most widespread and versatile malware tools, and is capable of being tailored for a wide variety of uses, including password and data theft.

The Windows malware started off as a banking Trojan used to steal financial data, but has evolved into a highly modular, multi-stage form that is capable of installing further malware on a user’s system.

Tailored emails

“A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download Trickbot,” CISA said in the advisory.

The agency recommended measures including blocking suspicious IP addresses, using antivirus software and providing training on social engineering and phishing to employees.

Phishing involves the use of scam emails to trick a user into installing malware.

The people behind the current campaign are carrying out a spearphishing campaign, meaning the emails are tailored for particular targets, making them more dangerous, CISA said.

The emails contain a link to alleged proof of a traffic violation, which takes the user to website hosted on a compromised server.

This site prompts the user to click on photo proof of their supposed violation, and in clicking on the photo the target unknowingly downloads a malicious JavaScript file.

Ransomware

This communicates with the attacker’s command server to download Trickbot onto the system, CISA said.

Some of Trickbot’s most common operations are to steal login credentials, via a browser attack, with some variants able to spread across a network using the SMB protocol.

The malware can be used to gather information to support further targeting, for data theft or even for carrying out clandestine cryptocurrency mining.

Trickbot also be used to drop other malicious code, such as Ryuk or Conti ransomware, or to download a malware strain called Emotet, thought to be operated by a Russian crime organisation.

Emotet is best known for turning infected systems into parts of a botnet, but the system’s operations were disrupted in January through a coordinated international police operation.

Trickbot was also targeted by a Microsoft-led operation in October of last year that targeted its infrastructure, but researchers said the malware reappeared within weeks and has been active ever since.