Yesterday MS-ISAC released a document summarizing the capabilities of the TrickBot malware. TrickBot focuses on obtaining consumer financial credentials, so should be a concern for all financial institutions. This week, we will look at how TrickBot is spread, what TrickBot does, and what your institution can do about it.
How Does TrickBot Spread?
TrickBot is a modular banking trojan, meaning that it is malicious software that usually gets delivered inside of a document that appears legitimate and is received via an email message. The document often appears to be an invoice from a known accounting or financial firm. If a user opens the document and has the ability to automatically run macros turned off, the document will attempt to trick the user into turning macros back on. Once the macro runs, the malware may try to spread to other computers on the network using vulnerabilities in the SMB protocol (the protocol used by Windows to enable file and printer sharing).
What Does TrickBot Do?
Once established on a computer, TrickBot will try to shut down any antivirus software and will then reach out to a command and control (C2) server on the Internet for further instructions. The C2 server will send additional software to TrickBot which will then be used to try to steal credentials from online banking sessions. It steals credentials either by redirecting a session to a fake banking server or by harvesting credentials from the login prompts on the banking site web form. Note that both of these methods have the ability to intercept and use multi-factor authentication (MFA) responses.
TrickBot also has other tricks up its sleeve and is continuously updated with more functionality. It can steal email credentials from Outlook and can also steal system information including what software is running, what files are on the system, and what other systems are on the network.
What Can We Do About It?
The MS-ISAC communication contains many recommendations regarding steps to take to protect against MS-ISAC. We will focus on the highlights and add a few:
If you have any further questions on TrickBot reach out to us at support@bedelsecurity.com. If you'd like more hands on help with Threat Intelligence, User Awareness Testing and Training, or Risk Management check out our CySPOTâ„¢ Modules available. Or check out these other helpful articles on related topics!