TrickBot is a modular banking trojan that targets sensitive information and acts as a dropper for other malware. Since June 2019, the MS-ISAC is observing an increasingly close relationship between initial TrickBot infections and eventual Ryuk ransomware attacks. The malware authors are continuously releasing new modules and versions of TrickBot to expand and refine its capabilities. TrickBot uses man-in-the-browser attacks to steal financial information, such as login credentials for online banking sessions. Additionally, some of TrickBot’s modules abuse the Server Message Block (SMB) Protocol to spread the malware laterally across a network.
TrickBot is disseminated via malspam campaigns. These campaigns send unsolicited emails that direct users to download malware from malicious websites or trick the user into opening malware through an attachment. TrickBot is also dropped as a secondary payload by other malware, most notably by Emotet.
Format: |
|
Topics: | |
Website: | Visit Publisher Website |
Publisher: | Center for Internet Security (CIS) |
Published: | September 1, 2019 |
License: | Copyrighted |
Copyright: | © The Center for Internet Security, Inc. (CIS®) makes the connected world a safer place for people, businesses, and governments. We are a community-driven nonprofit, responsible for the CIS Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously refine these standards to proactively safeguard against emerging threats. Our CIS Hardened Images® provide secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial (SLTT) government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), which supports the cybersecurity needs of U.S. elections offices. To learn more, visit CISecurity.org or follow us on Twitter: @CISecurity. |