The operators of TrickBot malware have infected an estimated 140,000 victims across 149 countries a little over a year after attempts were to dismantle its infrastructure. The advanced Trojan is fast becoming an entry point for Emotet, another botnet that was taken down at the start of 2021. Emotet is believed to have originated in the Ukraine is also known as Heodo which was first detected in 2014. See: https://redskyalliance.org/xindustry/this-may-be-the-end-of-emotet
Most of the victims detected since 01 November 2020, are from Portugal (18%), the US (14%), and India (5%), followed by Brazil (4%), Turkey (3%), Russia (3%), and China (3%), researchers noted in a report. Government, finance, and manufacturing entities are emerging the top affected industry verticals. "Emotet is a strong indicator of future ransomware attacks, as the malware provides ransomware gangs a backdoor into compromised machines," said the analysts who detected 223 different Trickbot campaigns over the course of the last six months. See: https://redskyalliance.org/xindustry/trickbot-malware-is-tricky-having-new-devious-versions
Both TrickBot and Emotet are botnets, which are a network of Internet-connected devices infected by malware and can be tasked to conduct an array of malicious activities. TrickBot originated as a C++ banking Trojan and as a successor of Dyre malware in 2016, featuring capabilities to steal financial details, account credentials and other sensitive information; laterally spread across a network; and drop additional payloads, including Conti, Diavol, and Ryuk ransomware strains.
Introduced by malspam campaigns or previously dropped by other malware like Emotet, TrickBot is believed to be the handiwork of a Russia-based group called Wizard Spider. This bad actor group has since extended its capabilities to create a complete modular malware ecosystem, making it an adaptable and evolving threat, not to mention an attractive tool for conducting a myriad of illegal cyber activities.
The botnet also caught the attention of government and private entities in 2020, when the US Cyber Command and a group of private sector partners spearheaded by Microsoft, ESET, and Symantec acted to curtail TrickBot's reach and prevent the adversary from purchasing or leasing servers for command-and-control operations.[1]
These actions have only been temporary setbacks, with the malware authors rolling out updates to the botnet code that have made it more resilient and suitable for mounting further attacks. TrickBot infections in November and December 2021 have also escalated a surge in Emotet malware on compromised machines, signaling a revival of the infamous botnet after a gap of 10 months following a coordinated law enforcement effort to disrupt its spread. "Emotet could not choose a better platform than Trickbot as a delivery service when it came to its rebirth," the researchers noted.
The latest wave of spam attacks are prompting users to download password-protected ZIP archive files, which contain malicious documents that, once opened and macros are enabled, result in the deployment of Emotet malware, thereby enabling it to rebuild its botnet network and grow in volume. "Emotet's comeback is a major warning sign for yet another surge in ransomware attacks as we go into 2022," said Check Point's head of threat intelligence. "Trickbot, who has always collaborated with Emotet, is facilitating Emotet's comeback by dropping it on infected victims. This has allowed Emotet to start from a very firm position, and not from scratch."
In what appears to be a further escalation in tactics, new Emotet artifacts have been uncovered dropping Cobalt Strike beacons directly onto compromised systems, according to Cryptolaemus cybersecurity experts, as opposed to dropping first-stage payloads before installing the post-exploitation tool. "This is a big deal. Typically, Emotet dropped TrickBot or QakBot, which in turn dropped Cobalt Strike. You'd usually have about a month between [the] first infection and ransomware. With Emotet dropping [Cobalt Strike] directly, there's likely to be a much much shorter delay," security researcher stated.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and offers pro-active solutions to protect your networks. Cyber intelligence is a needed key for your over-all cyber security. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
[1] https://thehackernews.com/2021/12/140000-reasons-why-emotet-is.html
Comments