The TrickBot malware has returned with a new attack that may have compromised around 250 million email addresses. Earlier this year TrickBot worked side-by-side the Ryuk ransomware to siphon millions of dollars for hackers, and now it is back again in less than a year. According to a report by Deep Instinct, a cybersecurity company, a new variant of TrickBot was revealed that joins forces with a malicious, email-based infection and distribution module named TrickBooster. The malware now has new capabilities such as stealing cookies.
The method for the attack hasn’t undergone too much change from previous methods, at least at the beginning of the attack. TrickBot infiltrates a victim’s computer and then the malware makes the machine download TrickBooster. This, in turn, reports back to a dedicated command and control server with a list of email addresses and log-in details which are gathered from the victim’s Inbox, Outbox and Address Book. After this, the TrickBooster server orders the infected machine to send malicious infection and spam emails. All these emails are then deleted from the Outbox and Trash so that the victim doesn’t realise the threat.
Deep Instinct investigated TrickBooster and its network infrastructure to find a database comprising of 250 million email addresses that were gathered by TrickBot operators. These email accounts were also, in all likeliness, targeted with the malicious emails. An email dump was recovered and this included about 26 million email accounts on Gmail, 19 million on Yahoo, 11 million on Hotmail, 7 million on AOL, 3.5 million on MSN, and 2 million on Yahoo U.K. Further investigation revealed that the compromised accounts involved several government departments and agencies in the US which included the Department of Justice, the Department of Homeland Security, the Department of State, the Social Security Administration, the Internal Revenue Service and more. There were also some government organisations and universities affected in the UK and Canada.
According to Deep Instinct, the discovery of TrickBot “highlights the success and sophistication of TrickBot”. The model of attack was described as “a powerful addition to TrickBot’s vast arsenal” of attacking methods. According to reports, the cybersecurity company stated that they are continuing their research and analysis in TrickBooster, and they will also be reporting details of the new TrickBot attack to the authorities.
|Release Date:||12 Jul 2019|