New TrickBot Modules Collect Data to Perform SIM Swapping Attacks

Delaware, USA – August 29, 2019 – Not only MegaCortex ransomware gained new features over this summer preparing to autumn campaigns. During August, Trickbot sequentially received three modules to attack users of US-based mobile carriers: Verizon Wireless, T-Mobile, and Sprint. SecureWorks researchers discovered that new trojan versions harvest PIN code of these operators when a user tries to log in to a legitimate website. After adversaries received PIN and user credentials, they can perform SIM swapping attacks to take control of a user’s telephone number. SIM swapping attacks are especially dangerous in that they allow cybercriminals to bypass SMS-based multi-factor authentication. Previously infected systems receive updates automatically, so these modules are active now and collect data for future attacks. Let’s add to this the awakened Emotet Botnet and receive an increased threat of ransomware attacks on organizations and cities in the United States.

This summer, Trickbot trojan also “learned” new methods to bypass the protection of Windows 10 systems and its loader disables Windows Defender before installing the main module. Since the beginning of the year, the number of ransomware attacks is doubled, with more than half of them targeting the United States. Repeatedly, Ryuk gang, one of the culprits of the rapid growth of ransom payments, gained access to the network of its victims through a system infected with Trickbot and Emotet malware. The ability to bypass multi-factor authentication jeopardizes an even larger number of organizations, so it is recommended to switch to time-based one-time passwords.

The rules to detect TricBot banking trojan are available on Threat Detection Marketplace.

Trickbot Execution by Florian Roth
Possible TrickBot Activity OR WinDefend Manipulation by Roman Ranskyi
TrickBot Detector (Sysmon) by Alexandr Yampolskyi
Trickbot Malware Detector (Sysmon Behavior)(July 2019) by Lee Archinal