Trickbot malware is back with a new campaign – just a few months after its operations were disrupted by a coalition of cybersecurity and technology companies.
Initially starting life as a banking trojan, Trickbot evolved to become a highly popular form of malware among cyber criminals, particularly because its modular nature allowed for it to be used many different kinds of attacks.
These include the theft of login credentials and the ability to propagate itself around the network spreading the infection further.
Trickbot even became a loader for other forms of malware, with cyber criminals taking advantage of machines already compromised by Trickbot as a means of delivering other malicious payloads, including ransomware.
In October last year, a takedown led by Microsoft disrupted the infrastructure behind the Trickbot malware botnet, but now it appears to be coming back to life as researchers at Menlo Security have identified an ongoing malware campaign which has the hallmarks of previous Trickbot activity.
These attacks appear to be exclusively targeting legal and insurance companies in North America, with phishing emails encouraging potential victims to click on a link which will redirect them to a server which downloads a malicious payload.
Analysis of this payload indicates that it connects to domains which are known to distribute Trickbot malware, indicating that it’s once again active and could pose a threat to enterprise networks.
“Where there’s a will, there’s a way. That proverb certainly holds true for the bad actors behind Trickbot’s operations,” said Vinay Pidathala, director of security research at Menlo Security
“While Microsoft and it’s partners’ actions were commendable and Trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment,” he added.
An advisory on Trickbot by the UK’s National Cyber Security Centre (NCSC) recommends that organisations use the latest supported versions of operating systems and software and to apply security patches in order to stop Trickbot other malware exploiting known vulnerabilities to spread.
It’s also recommended that organisations apply two-factor authentication cross the network so that in the event of one machine being compromised by malware, it’s much harder for it to spread.
MORE ON CYBERSECURITY