2 min read

TrickBot Operators Now Use "Traffic Violations" to Spear-Phish Unsuspecting Victims

Filip TRUȚĂ

March 18, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
TrickBot Operators Now Use "Traffic Violations" to Spear-Phish Unsuspecting Victims

The Cybersecurity & Infrastructure Security Agency (CISA) and the FBI have released a Joint Cybersecurity Advisory on TrickBot warning that a sophisticated group of cyber actors are sending phishing emails claiming to contain proof of traffic violations to lure victims into downloading the insidious malware.

TrickBot is a modular, multi-stage Trojan that packs a full array of tools to wage cyber-attacks. The malware is notorious among cybercriminals because, apart from its primary purpose of collecting sensitive data and harvesting credentials from victims, it packs features designed to move laterally across compromised networks and infect other machines. This ability makes TrickBot highly resilient to cleanups, letting ransomware operators establish persistence on the targeted infrastructure and deliver payloads on high-value targets.

TrickBot”s operations were partially disrupted in the second half of 2020, but the two agencies have spotted renewed efforts from “sophisticated” threat actors leveraging the malware.

CISA and the FBI say they”ve observed “continued targeting through spearphishing campaigns using TrickBot malware in North America,” noting that a “sophisticated” group of hackers is luring victims with a traffic infringement phishing scheme to download the Trojan.

“CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation, to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor”s command and control (C2) server to download TrickBot to the victim”s system.”

Attackers typically use TrickBot to drop other malware, such as Ryuk and Conti ransomware, or serve as an Emotet downloader.

Alert (AA21-076A) offers granular technical details about the use of enterprise techniques to establish initial access, gain persistence, escalate privileges, evade defenses, call back to the command & control center and exfiltrate data.

MITRE ATT&CK Techniques are also described, alongside a list of snort signatures for use in detecting network activity associated with TrickBot attacks.

To secure against TrickBot, CISA and FBI recommend implementing the mitigation measures described in the advisory, which include blocking suspicious IP addresses, using antivirus software, and providing social engineering and phishing training to employees.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials
Silviu STAHIE

November 26, 2021

1 min read
Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group
Filip TRUȚĂ

November 26, 2021

1 min read
Couple arrested for secretly installing cryptomining software on department store PCs Couple arrested for secretly installing cryptomining software on department store PCs
Graham CLULEY

November 26, 2021

1 min read