Banking Trojan TrickBot Spreads Like Wildfire
For years, cyber criminals have increased spam campaigns around tax time, in an attempt to make a quick buck. This year is no different. Cyber criminals have begun distributing the banking Trojan, TrickBot, through malicious emails fraudulently portraying tax and payroll services.
Researchers confirmed the malware has been used in three different malware campaigns since late January. These email campaigns are targeting victims pretending to be from large accounting, tax and payroll services firms, like ADP and Paychex. However, in reality the messages were carrying malicious Microsoft Excel attachments masked as tax or billing invoices, which upon opening will download and execute the TrickBot trojan.
Once the Trojan is installed on one endpoint, TrickBot does two things. First, it steals as much data as possible on the device. The data stolen can range from basic email content to banking credentials – the possibilities are limitless, as the hackers have full control of the device. Then, the malware attempts to spread throughout the network to maximize destruction. If it is able to spread to additional devices, it will again steal as much data as possible on each device it touches.
Unfortunately, TrickBot is not noticeable to the average user, as the action it takes is executed in the background. However, IT professionals will likely notice the changes in traffic or attempts to connect to unauthorized domains when the malware tries to connect to its command-and-control servers.
Researchers have confirmed the mail styles, behavior of the malicious attachments, and the subsequent malware URLs were the same for all three email campaigns used to distribute TrickBot. Due to these three similarities, it is believed the same cyber criminals were behind all three campaigns.
The exact target of these emails is unknown; however, since the hackers are fraudulently portraying large firms, like ADP and Paychex, the attacks are likely to have some success.