The Trickbot Trojan moves into top gear

London, UK – July 25, 2017 – The Trickbot banking Trojan is used for Man-in-the-Browser attacks since mid-2016. Currently, adversaries use the Necurs botnet for its distribution. This botnet is tied to Locky and Jeff Ransomware attacks and is capable of sending millions of emails per day. Researchers from Flashpoint report that the current spam campaign named ‘mac1’ began on July 17 and three waves of malicious emails have already been sent to the targeted banks and the commercial sector in Europe, the US, Canada, Australia and New Zealand. Initially, adversaries distributed a malicious attachment – a ZIP file with Windows Script File containing the obfuscated Javascript code. The code was intended for downloading and executing the Trickbot loader. In subsequent waves, they used malicious documents with macros.

Adversaries constantly increase the number of targets and also try new techniques and tactics. Custom redirect mechanism requires a lot of resources, and the attackers have them. To protect the organization from such attacks, it is necessary to conduct additional Security Awareness training for the employees. It is also recommended to whitelist IP addresses. In addition, if your organization uses a SIEM system, you can download use cases from S.M.A. cloud to detect suspicious activity in order to protect your organization from new attacks using this or similar malware.