2 min read

TrickBot Operators Now Use "Traffic Violations" to Spear-Phish Unsuspecting Victims

Filip TRUȚĂ

March 18, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
TrickBot Operators Now Use "Traffic Violations" to Spear-Phish Unsuspecting Victims

The Cybersecurity & Infrastructure Security Agency (CISA) and the FBI have released a Joint Cybersecurity Advisory on TrickBot warning that a sophisticated group of cyber actors are sending phishing emails claiming to contain proof of traffic violations to lure victims into downloading the insidious malware.

TrickBot is a modular, multi-stage Trojan that packs a full array of tools to wage cyber-attacks. The malware is notorious among cybercriminals because, apart from its primary purpose of collecting sensitive data and harvesting credentials from victims, it packs features designed to move laterally across compromised networks and infect other machines. This ability makes TrickBot highly resilient to cleanups, letting ransomware operators establish persistence on the targeted infrastructure and deliver payloads on high-value targets.

TrickBot”s operations were partially disrupted in the second half of 2020, but the two agencies have spotted renewed efforts from “sophisticated” threat actors leveraging the malware.

CISA and the FBI say they”ve observed “continued targeting through spearphishing campaigns using TrickBot malware in North America,” noting that a “sophisticated” group of hackers is luring victims with a traffic infringement phishing scheme to download the Trojan.

“CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation, to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor”s command and control (C2) server to download TrickBot to the victim”s system.”

Attackers typically use TrickBot to drop other malware, such as Ryuk and Conti ransomware, or serve as an Emotet downloader.

Alert (AA21-076A) offers granular technical details about the use of enterprise techniques to establish initial access, gain persistence, escalate privileges, evade defenses, call back to the command & control center and exfiltrate data.

MITRE ATT&CK Techniques are also described, alongside a list of snort signatures for use in detecting network activity associated with TrickBot attacks.

To secure against TrickBot, CISA and FBI recommend implementing the mitigation measures described in the advisory, which include blocking suspicious IP addresses, using antivirus software, and providing social engineering and phishing training to employees.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet
Silviu STAHIE

February 08, 2023

2 min read
Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns
Silviu STAHIE

February 06, 2023

1 min read
U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine
Silviu STAHIE

February 03, 2023

1 min read