New Threat Advisory: TrickBot (Warnings/Recommendations)

TrickBot is up to its tricks again. Once cyber experts get a handle on it, TrickBot releases new modules that advance its capabilities. Here’s what you need to know to protect your organization from TrickBot.

Trickbot

Don’t Get Tricked By TrickBot

TrickBot is up to its tricks again. Once cyber experts get a handle on it, TrickBot releases new modules that advance its capabilities. Here’s what you need to know to protect your organization from TrickBot.

What Is TrickBot?

The Multi-State Information Sharing and Analysis Center (MS-ISAC) recently released a security primer on TrickBot. Originally developed in 2016 as a Windows-based banking Trojan, TrickBot has recently advanced its capabilities.

TrickBot is a modular banking trojan that targets user financial information and acts as a vehicle for other malware. It uses Man-in-the-Browser attacks to steal financial information such as login credentials for online banking sessions. (The majority of financial institutions consider Man In The Browser attacks as the greatest threat to online banking.)

Malware developers are continuously releasing new modules and versions of TrickBot— And they’ve done this once again.

How Is TrickBot Distributed?

TrickBot is disseminated via malspam campaigns. Malspam is a combination of malware and spam. It’s usually delivered through phishing or spear-phishing emails. Its goal is to exploit computers for financial gain.

These malspam campaigns send unsolicited emails that direct users to download malware from malicious websites or trick the user into opening malware through an attachment.

TrickBot is also dropped as a secondary payload by other malware such as Emotet. Some of TrickBot’s modules abuse the Server Message Block (SMB) Protocol to spread the malware laterally across a network. (SMB is an application-layer network protocol that facilitates network communication while providing shared access to client files, printers and serial ports.)

The developers behind TrickBot have continue to add more features via modules to this potent trojan virus. It can download new modules that allow it to evolve if left unchecked.

How Does The TrickBot Malspam Campaign Work?

The malspam campaigns that deliver TrickBot use third-party branding looks familiar to you and your staff such as invoices from accounting and financial firms. The emails typically include an attachment, such as a Microsoft Word or Excel document. If you open the attachment, it will execute and run a script to download the TrickBot malware.

And, TrickBot is really tricky. It runs checks to ensure that it isn’t put in a sandboxed (quarantined) environment. Then it attempts to disable your antivirus programs like Microsoft’s Windows Defender.

And even worse, TrickBot redeploys itself in the “%AppData%” folder and creates a scheduled task that provides persistence. Persistence is the continuance of the effect after its cause is removed. So, even after you remove TrickBot, it can still create problems.

What Happens If Your Network Gets Infected With TrickBot?

TrickBot’s modules steal banking information, perform system/network reconnaissance, harvest credentials and can propagate throughout your network.

TrickBot:

  • Will harvest your system information so that the attacker knows what’s running on your network.
  • Compares all files on your disk against a list of file extensions.
  • Collects more system information and maps out your network.
  • Harvests browser data such as cookies and browser configurations.
  • Steals credentials and configuration data from domain controllers.
  • Auto fills data, history, and other information from browsers as well as software applications.
  • Accesses saved Microsoft Outlook credentials by querying several registry keys.
  • Force-enables authentication and scrapes credentials.
  • Uses these credentials to spread TrickBot laterally across your networks.

What’s New With TrickBot?

In November 2018, a module was developed and added that gave TrickBot the ability to steal credentials from popular applications such as Filezilla, Microsoft Outlook, and WinSCP.

In January 2019, three new applications were targeted for credential grabbing: VNC, Putty, and RDP.

In addition, it can also steal credentials and artifacts from multiple web browsers (Google Chrome/Mozilla Firefox/Internet Explorer/Microsoft Edge) including your browsing history, cookies, autofills, and HTTP Posts.

How Can You Protect Your Organization From TrickBot?

We recommend that you contact us and arrange for the following to protect against the TrickBot malware:

  • Implement filters at the email gateway to filter out emails with known malspam indicators such as known malicious subject lines, and block suspicious IP addresses at the firewall.
  • Use managed antivirus programs on clients and servers, with automatic updates of signatures and software. Off-the-shelf antivirus isn’t enough.
  • Arrange for vulnerability scans to detect TrickBot or other malware threats that are hiding in your IT systems.
  • Apply appropriate patches and updates immediately after they are released.
  • Provide Security Awareness Training for your users. Regular training will ensure that they can recognize social engineering/phishing attempts, and refrain from opening attachments from unverified senders.
  • Help you employ a Password Management solution so your usernames and passwords aren’t disclosed to unsolicited requests.
  • Deploy a managed Anti-Spam/Malware Solution with the latest signature and detection rules.
  • Review security logs for indicators of TrickBot. If any are found, we can isolate the host and begin investigation and remediation procedures.
  • Make sure you adhere to the principle of least privilege, ensuring that users have the minimum level of access required to accomplish their duties. We’ll also limit administrative credentials to designated administrators.
  • Implement Domain-Based Message Authentication, Reporting & Conformance (DMARC). This is a validation system that minimizes spam emails by detecting email spoofing using Domain Name System (DNS) records and digital signatures.
  • If you don’t have a policy regarding suspicious emails, we can help you create one and specify that all suspicious emails should be reported to security and/or IT departments.
  • And more…

Don’t let TrickBot use its tricks to steal your confidential data. Contact us for comprehensive IT Security Analysis and Remediation to keep TrickBot out of your network.

What Is This Chromium Application That Just Appeared On My Computer?

Have you seen a new application — Chromium — suddenly appear on your computer? It’s likely that if you did not intentionally download it, the app is malware that should be removed immediately.

Chromium Web Browser

While Chromium is a legitimate product, hackers have been using it to deliver adware and potentially unwanted programs, redirect browsers to different websites and track Internet activity. The results of such unwanted software can range from minor irritation to serious privacy concerns, including identity theft.

What Is Chromium?

Chromium is an open-source browser application that was initially created by Google. Chromium is the source code for what became the Chrome browser. When Google released Chrome in 2008, it also released the Chromium code. The Chromium project is now managed by The Chromium Projects and is designed for developers to create a faster, more stable and safer form for web browsing.

Chrome itself still includes some of the Chromium source code along with proprietary features, such as automatic updates. Google owns and manages the product, which is by far the most popular browser worldwide, with 62.5 percent of the market share as of February 2019.

Why Is Chromium Popular with Hackers?

Because it’s an open-source product, Chromium is vulnerable to misuse. Browser hijackers are a type of malware that makes changes to a user’s browser settings without their knowledge or consent. Most users unintentionally download hijacking malware when clicking through online ads or when downloading or purchasing other software.

How Does Malware Chromium Work?

The malware Chromium app uses a virtual layer to push ads or redirect browsers to e-commerce websites. Other types can direct users to dangerous, malicious websites that can themselves contain infectious viruses and programs.

What’s worse is that the bad Chromium browsers track your browser activity and can grab browsing data, including personally identifying information, passwords and financial data such as credit card numbers and bank account numbers. The hackers then sell this information to third parties, who often use it illegally. This activity can mean privacy breaches, unwanted use of cards and accounts, and identity theft.

There are many different Chromium-based browser applications that are dubious, despite appearing to be legitimate. Usually, these apps claim to improve browsing speed and security and boast of having new features that other browsers lack. These claims lure users into a false sense of security and invite downloads that cause trouble. These questionable app names include BeagleBrowser, BrowserAir, Chedot, eFast, Fusion, MyBrowser, Olcinium, Qword, Torch and Tortuga, among others.

How Is Chromium Malware Installed?

Often, these rogue programs are part of the Custom or Advanced settings of an app. The most common victims of these unwanted applications are users who hastily download software and install it quickly without reviewing each step. To avoid these inadvertent downloads, it’s important to pay attention during download and installation steps. Be wary of any software that is bundled with other programs and never accept offers to install third-party programs.

How Do I Uninstall Rogue Chromium Browsers?

There are several step-by-step guides online to show how to remove the malware, do thorough scans of your computer for rogue files and registry keys, and clean and reset browsers. The steps are very specific to your operating system and browsers. Two good online guides are here and here.

Being aware of types of malware, how they infect your computer and what they do can help prevent you or your employees from the frustration, time and irritation of fake Chromium browsers.

Social Engineering at Work: Part 4 – SMiSHing

Social engineering is when “persuasion” takes a darker turn. In a broad sense, it includes any action that attempts to influence a person to act against their best interests. This is the last of a 4-part series on social engineering and how it affects your business.  We have covered Impersonation, Email Phishing, Vishing, and finally SMiSHing.

SMiSHing

SMiSHing applies phishing tactics through text messages.

Although this channel is less effective at convincing victims of the sender’s authority, attackers find other uses.

Fake shipping service in Japan

In an on-going SMS phishing attack in Japan, victims receive text messages claiming to be from a parcel delivery service. The message guides victims to a website with more information.

Rather than collecting information online, the site prompts users to send personal information via SMS.

A variation of the attack encourages victims to install a smartphone app. The mobile malware intended to collect login credentials and credit card info and send SMS messages to more potential victims.

SMS phishing via Atlanta

Two Romanian hackers were extradited to the U.S. in April for an elaborate phishing scam that leveraged SMiShing and vishing.

From Romania, the pair used compromised computers around Atlanta to send thousands of automated phone calls and text messages throughout the U.S.

The messages claimed to be from a financial institution and directed victims to call a phone number to resolve a problem. After calling, victims were prompted to enter their bank account numbers, PINs, and/or social security numbers.

The hackers collected more than 36,000 bank account numbers, according to court records.

What You Can Do About It

First, always be aware that these scams exist and keep your guard up. More importantly, partner with a trusted IT service company, who takes on the job of protecting your business from cybercriminals.

For more information, a security assessment, or help training your employees on cyber safety, call mPowered IT 678-389-6200.

Social Engineering at Work: Part 3 – Vishing

Social engineering is when “persuasion” takes a darker turn. In a broad sense, it includes any action that attempts to influence a person to act against their best interests. This is the third of a 4-part series on social engineering and how it affects your business.  Earlier, we covered Impersonation and Email Phishing. Today – Vishing.

Vishing

Vishing – or ‘voice phishing’ – is used by brazen attackers who call their targets directly. They often impersonate authority figures and threaten victims to send payment, or else…

Malware Routes Calls to Attackers

In one recent example of vishing, rather than calling victims, attackers used malware on victims’ smartphones to redirect their calls.

Once installed, the malware detected when calls were placed to banks and redirected them to scammers who impersonated a banking employee. The phone’s caller ID even listed the bank’s legitimate phone number.

In one example, more than 130 utility customers – many of them restaurants – received calls from a person threatening to shut off their electrical service unless payment was made.

Many of the calls came at busy times – such as the dinner rush – and at least one victim paid $4,000 to avoid having the power cut. Payments were made online or via prepaid card.

Caller ID Spoofing

The attacker may use caller ID spoofing to make their efforts more convincing.

For example, several New Jersey residents experienced vishing attacks in which the caller impersonated a local sheriff’s office.

The attacker attempted to extort money from victims using the threat of arrest and successfully used caller ID spoofing to mimic the sheriff’s office phone number.

In another example of impersonating police, the caller posed as a officer and pressured the victims into share personal information that could be used for fraud.

What You Can Do About It

First, always be aware that these scams exist and keep your guard up. More importantly, partner with a trusted IT service company, who takes on the job of protecting your business from cybercriminals.

For more information, a security assessment, or help training your employees on cyber safety, call mPowered IT 678-389-6200.

Social Engineering at Work: Part 2 – Email Phishing

Social engineering is when “persuasion” takes a darker turn. In a broad sense, it includes any action that attempts to influence a person to act against their best interests. This is the second off a 4-part series on social engineering and how it affects your business.  Earlier, we covering Impersonation. Today – Phishing.

Email Phishing

Phishing occurs most often through email and it’s one of the most common ways cyber attacks are launched.

Two main types of email phishing exist:

  1. Emails that trick victims into sharing access credentials.
  2. Emails that trick victims into installing malware.

In email phishing, attackers are generally not working to scam you out of money directly. They simply want to steal access credentials or install malware.

In the first variety, attackers typically encourage victims to visit a phony website and enter access credentials. Occasionally, they encourage victims to send credentials directly via email.

Even here, overlap exists – where the phishing websites often attempt to force malware onto the users’ system via drive-by-download or a disguised software update.

Many phishing emails attempt to trick users into installing malware directly via a disguised email attachment. While any type of malware can be used, trojans are a common variety designed to persist on the infected system and collect sensitive information, such as banking credentials.

What You Can Do About It

First, always be aware that these scams exist and keep your guard up. More importantly, partner with a trusted IT service company, who takes on the job of protecting your business from cybercriminals.

For more information, a security assessment, or help training your employees on cyber safety, call mPowered IT at 678-389-6200.

Web Analytics