The financial industry remains a prime target for criminals especially cybercriminals, but the evolutions and sophistications of threats has become greater. The desire to steal credentials remains the easiest way for cybercriminals to monetize their activity.
Trickbots are how cybercriminals are starting to get employee and customer credentials and this trojan has lethal capabilities beyond its predecessors Emotet. Fact is Trickbot works better and is a better version then the old.
How do you recognize a Trickbot infection?
Malwarebytes which identified this malware report that end users will not notice anything. Network admin will likely see changes in traffic or attempts to reach out to blacklisted IPs and domains as the malware will communicate with the Trickbot’s command and control infrastructure.
What does Trickbot do?
Trickbot trojan is focused on stealing banking information. It typically spreads through a malicious spam campaign. It can also spread using EternalBlue Exploit. Its then propagates an email or a malicious document with macro to infect its target.
What happens once a machine is infected?
Once infecting the machine the Trickbot uses EternalBlue vulnerability to spread through a network, any infected machine on the network will re-infect machines that have been previously cleaned when they rejoin the network. IT team should isolate, patch and remediate each infected system on its own.
Yeah I know, that’s a long process.
Another helpful note is disabling administrative shares on windows servers. Trickbot uses admin shares once it has brute forced the local admin passwords. AdminIP shares are normally protected via UAC, however, Windows will allow local admin through with no prompt. Most Trickbots variants use C$ with the admin credentials to move around and re-infect end points.
Trickbots are the new innovative ways hackers go after ways to monetize their work. Network admins should be on the lookout for these as its been reported that there is an uptick in Trickbot activity.