Trickbot malware adds new feature to target telecoms, universities and finance companies

A new form of the infamous Trickbot malware is using never-before-seen behaviour in attacks targeting telecommunications providers, universities and financial services in a campaign that looks to be going after intellectual property and financial data.

The campaign, which has been active since at least January, has been discovered and detailed by researchers at cybersecurity company Bitdefender who warn that it's likely to still be active.

Trickbot has been in operation since 2016 and, while it started life as a banking trojan, the modular nature of the malware means it can be easily re-purposed for other means, which has lead to it becoming one of the most advanced and capable forms of malware attack delivery in the world today.

And now it has been updated with yet another new capability, with a module that uses brute force attacks against targets mostly in telecoms, education, and financial services in the US and Hong Kong. These targets are pre-selected based on IP addresses, indicating that the attackers are going after them specifically.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

There's also evidence that suggests that the attackers have some understanding of the targets – and their vulnerabilities – because rather than trying an infinite selection of usernames and passwords, the brute force attacks use a pre-defined list of usernames and passwords in an effort to crack into remote desktop ports.

"To us it looks like a targeted attack," Liviu Arsene, senior e-threat analyst at Bitdefender told ZDNet.

"The simple fact that they're using a list of usernames and passwords and not going through a whole dictionary attack either means they have some sort of knowledge or previous experience of what passwords IT admins use to manage those networks. They wouldn't be picking from a list of passwords unless this list has proven valuable in the past".

Once Trickbot gains access, the hackers look to move around the network with the aid of the EternalRomance SMB vulnerability, performing reconnaissance on the network then stealing credentials including browser information, usernames and passwords, sensitive documents, financial information, intellectual property and more.

The nature of the campaign's targets suggests that the attackers have very specific ideas in mind.

"They're going after critical information or intellectual property; telecoms services may give attackers surveillance capabilities, they can tap into telecommunications networks," said Arsene.

"Education and research means they may want to access intellectual property. And finance services probably has something to do with the stock market – something that can bring revenue to their cause," he added.

Trickbot is so widely used, it's almost impossible to determine who is behind this latest campaign and while large amounts of the command and control infrastructure is based in Russia, that's likely only because the attackers have easily been able to compromise machines in that region, which they've then made part of a botnet.

The campaign is still active and it's likely that those behind it – and those behind other Trickbot campaigns – will continue to modify the malware in new ways in order more easily achieve their malicious goals.

"The reason it has stuck and will continue to be used is precisely because it's modular. If a module doesn't yield good enough results or someone comes up with something improved, they'll definitely push it out," said Arsene.

"Malware is no longer something you deploy once and forget about, you build a backbone and then you start adding or removing features as you see fit – to serve any purpose basically," he added.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)    

However, organisations can protect against campaigns by Trickbot and other malware by following a few simple steps. First, make sure the network is patched with the latest security updates so that malware can't exploit known vulnerabilities – such as EternalRomance has been patched for years.

Secondly, restrict access to remote ports if possible and thirdly, ensure that those using them take advantage of multi-factor authentication, so if an attacker does successfully brute force a password, they can't get in because of that additional layer of security.

"It's the basic security steps you should be applying in any organisation," Arsene concluded.

MORE ON CYBERSECURITY

• These are the first passwords hackers will try when attacking your device
• Your most sensitive data is likely exposed online. These people try to find it CNET
• Cybersecurity: Do these ten things to keep your networks secure from hackers
• Tracking endpoints and ensuring device security a vexing problem for healthcare CIOs TechRepublic
• This data-stealing malware has returned with new attacks and nasty upgraded features