TrickBot is once again making itself known during tax season and attempting to steal your hard-earned money. TrickBot was originally discovered in October of 2016 but has since changed and evolved dramatically into one of the most prolific attacks today.
How it works
Just like Emotet, TrickBot primary spreads by specially designed
emails or malspam
that attempts to trick the user into clicking or downloading the attachment.
The current campaign, as of this writing, is TrickBot’s normal tax season
attack: pretending to be the IRS. In the
example below, the link will send you a to a domain that looks official but is
Once TrickBot is installed on a computer, it sets up a scheduled
task to make sure it has a persistent presence on the computer before starting
to steal information. In addition, it disables Windows Defender early on so
that it won’t be removed. SUPERAntiSpyware is not stopped in this way.
TrickBot does not show any signs of running on a user’s
computer and the only “noise” it makes is the network traffic it creates.
Recording network traffic is generally only done by businesses, which helps
TrickBot evade detection on personal computers.
TrickBot uses a module design, much like Emotet and other bankers. Not only does this allow TrickBot to quickly
change its attack capabilities, but it also makes it harder to detect. These
modules often do one thing well rather than trying to do many things. Some are
designed to go after hosted ftp servers, cached remote desktop credentials, and
bitcoin mining accounts.
The most common module, however, allows TrickBot to redirect the user to fake bank sites that, instead of logging the user in, will steal account credentials. The scammers make this possible by domain squatting, or registering an internet address that is only slightly different than the one you intend to visit. For instance, if you receive an email about your GoDaddy account, you might not notice if a link in that email goes to godabdy.com/payyourbill (godaddy is misspelled with a b instead of the second d).
This is compounded upon by hiding the URL so only the
studious will look for it and by making the site look like you expect through
careful recreation by the attackers. Many big companies will attempt to combat
this by buying these fake sites and then redirecting them to the appropriate
domain, but this is not always easily done.
Who is affected?
TrickBot is aimed more at business than casual users;
however, it is still the number-one banker, and anyone who lives inside the
USA, Africa, Europe, and Middle East should be wary. (This does not exclude
other areas from being hit, just shows that they are not the current target.)
Indicators of Compromise
C:\Documents and Settings\<USER>\Application
d2cc298a90c6ef939488b53ead12fd3549c3c0414733f6fdaf1762da31ea1e90 sha1: df404c6b1efc2cfbfdd0b7699554989dab03791f md5: e580ca34929cf9b62e816adcebe715f2C:\Users\admin\AppData\Roaming\msscsc\e690ca34929cf9b72e917adcebe816f2.exed2cc298a90c6ef939488b53ead12fd3549c3c0414733f6fdaf1762da31ea1e90 http://ip.anysrc.net/plain/clientip Scheduled Task that points to a file in AppData
such as C:\Users\<User>\AppData\Roaming\
What you can do
If you or someone you know is infected with TrickBot
malware, download SUPERAntiSpyware Professional right now and get a 14
day free trial, no credit card required.
SUPERAntiSpyware is easy to install and will detect and remove TrickBot from
any Windows computer. If you are a Computer Technician, you may like to try our
SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use
Tech04 as the Tech ID. Click here: https://www.superantispyware.com/technician-download.html
Read more: blog.superantispyware.com