The TrickBot threat actors have upgraded their botnet by including an anti-analysis functionality to avoid being studied by experts and use these improvements to target the customers of big-time financial and technology firms. The threat actors also included some cryptocurrency firms based in the US as their target.
Based on reports, the TrickBot group has evolved into a more threatening malware with approximately 20 modules downloaded and bought on-demand, which they use to target high-profiled organisations such as banks and credit card providers.
The most notable targets of this group are the Bank of Montreal, Centennial Bank, and the credit card services provider known as American Express.
Furthermore, TrickBot also includes IT giants such as Microsoft, Yahoo, AOL, and Amazon as their target under the technology organisations. In cryptocurrency financial services, the blockchain[.]com is the main target of the botnet.
However, the researchers believe that the actual victims of TrickBots attacks are not the organisations themselves but their customers and clients. They suspect that the threat actors target the customers because they want to exfiltrate user credentials and acquire access to these portals.
The anti-analysis improvements of TrickBot had aided them to hide their activities from various cybersecurity solutions and have included three new modules to upgrade their malware’s capabilities.
The first one is the insertion of the inject[.]dll module performs web and browser data injection to steal banking and credentials information. The module also implements anti-analysis abilities, such as crashing the tab process.
The second module is the tabDLL which gathers the target’s credentials and distributes the threat by utilising a network share.
The last one is the pwgrabc module which steals the passwords from web browsers and apps such as OpenSSH, Outlook, WinSCP, TeamViewer, IE, Edge, RDP, Putty, Filezilla, OpenVPN, and Google Chrome.
The TrickBot threat actors are very skilled and competent in technical ability. The modular characteristic of the threats can be very threatening for unfortunate victims. It should be on the top list of priority threats that should be addressed by security experts immediately.