Activity of TrickBot escalates and focuses on PayPal and CRM

Our research team encountered TrickBot in September of 2016 and its schemes progress to this day. This means that Trojan’s activity has not been fully repressed and continues to set its sights on financial institutions. Not too long after being produced, the malware mainly focused on banks of a limited number of countries, but with time, the Trojan decided to spread a wider net. The recent wave was indicated to target banks from all over the world, including countries like the United Kingdom, Sweden, Finland, France, Switzerland, Ireland, Denmark Lithuania, Lebanon and many others.

The malware took its first steps in Australia, Asia and United Kingdom, and attacked banking institutions with aggressive spam campaigns. Recently detected strategies of TrickBot surprises security researchers as it is not a commonly-noticed tactic. Some crypto-viruses have been detected to exploit it, but it is a rather uncharted territory for some hackers.

This does not necessarily comes as a shock to us as ever since its arrival in the cybersecurity playground, TrickBot has always been evaluated as a well-developed malware variant. Therefore, it is not that surprising that its creators continue to improve their virus. Sadly, these efforts are bad news for users and security researchers.

The spam campaign that TrickBot commences sends letters that contain seemingly-harmless PDF files that tricks people into opening a document in Microsoft Word. Then, the file requires for a person to enable macros, which leads to the successful infiltration of the Trojan. The action of enabling macros also activates a VBS script. The ran script contacts a domain, belonging to hackers, and the payload of TrickBot is implanted.

The main function of TrickBot is to attack banks. Therefore, it was rather odd to acknowledge the concept that payment processing services and Customer Relationship Management providers have also been labeled as potential victims. A popular PayPal service is attacked via its users when clients can be tricked into disclosing their credentials in a fake login page. Since these strategies can cause severe financial losses, you should be extremely careful.

TrickBot is not saying farewell anytime soon, and users will have to live with the cautious attitude to protect themselves. However, security researchers doubt that random people could be targeted by controllers of this Trojan, as these hackers attempt to carefully select their victims. Mostly business accounts are targeted as they might have the biggest balances that crooks would love to drain. In the most recent attacks, the spam originates from the Necurs botnet. Do not open attachments from unknown senders and stop visiting unknown websites to keep your operating system malware-free.

Source: infosecurity-magazine.com

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Security Guides

Recent Comments