Cybersecurity researchers have opened the lid on the continued resurgence of the insidious Trickbot malware, making it clear that the Russian-based transnational cybercrime group is working behind the scenes to revamp its attack infrastructure in response to recent counter efforts from law enforcement.

Recent press releases from researchers at Kaspersky Labs and Trend Micro revealed that the Trickbot malware has been used in the lead-up to four of 2016’s biggest cybercrime disruptions, including the attacks against Sony Pictures, Yahoo, and even a string of cryptocurrency hacks against the Middle East nation of Monaco. According to Kaspersky Lab, which published research on February 18th along with Trend Micro’s report released earlier this week:

” Cybercriminals have deployed TrickBot malware again, two weeks before our following reporting on its resurgence. The latest example is related to attacks on companies from Iran. The same threat actors were also responsible for other attacks from the Middle East region two weeks earlier, and before that, they were spotted attacking users in Norway in 2017.”

According to Trend Micro’s report, the group created a new variant of Trickbot – codenamed “Spritz-A” after a popular drink – that is manipulating email attachments to make it seem as though the victim is receiving them from people who have an additional layer of security privileges. In reality, however, those who fall for this false sense of security will subsequently find their computers compromised.

The group has also adopted new tactics to keep its attacks under wraps: Trend Micro found evidence that the attackers have been using Project Blackowl to conceal their activities. This stealthy anti-forensics tool, which is used by a number of different cybercrime groups, was first released in 2012 and was not widely known until early 2017. The report from Trend Micro researchers reads:

“Izabella Kaminska at the Financial Times reported on February 10th that a new variant of the Blackowl malware has been deployed by Russian-speaking cybercriminals. “This Web injector can conceivably be used as part of an attack chain that will infect and allow the attackers to gain system and network access on their victims’ systems”. This new variant will use HTTP requests made from legitimate websites to infect machines with Blackowl code. It will also use the Blackowl injector to upload the payload into Chrome and Firefox browsers on individual machines.”

The tactics used by these organizations is reminiscent of nation-state-sponsored cybercrime groups, who typically have a sophisticated understanding of their targets and a well-coordinated attack campaign. Much like Russian hackers, this group has the resources and capabilities to successfully hide its tracks and achieve long-term objectives. According to Kaspersky Lab:

” It is important to remember that Trickbot malware was first discovered in 2010. It was used in 2011 to infect thousands of copies of the Pokki web browser, which then caused outages for millions of users worldwide. Earlier in 2017, security researchers at ESET discovered that Trickbot had been used to launch a wide number of attacks from Russia. This demonstrated that the malware is not only persistent but also highly adaptable.”

Several other groups have developed and deployed their own variants of Trickbot in recent years. A study released by the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Readiness Team (ICS-CERT) found that some of the most notorious cybercrime groups were using these more recent variants as well. These groups included those from the U.S., India, Canada and Taiwan.

The fact that no one is safe from this kind of attack should serve as a reminder for companies to ensure that their security posture is not only strong but also resilient. The nature of cybercrime has made it clear that when one group is taken out, another will move in to fill the void. They can also take their lessons from prior attacks and build even more powerful versions of the malware that took down Sony or Yahoo, for example. Making sure your company’s cybersecurity defenses are up to date by downloading patches and applying them well before they become critical is a crucial aspect of securing your business networks against attacks like these.

Interested on learning more about malware and how it is affecting the world today? Malware Variations – Sophisticated in 2021 explains how malware has changed and is in effect in 2021.

Liquid Video Technologies Logo, zero trust, Security, Video Surveillance, Greenville South Carolina, cybersecurity, Trickbot Malware

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access ControlFire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.