TrickBot’s “TrickBooster” Update Compromised 250M Emails
Last Valentines day, we made a fearless declaration here in Hackercombat.com, that Trickbot is shaping itself of becoming the “malware of the year”, due to its massive campaigns of infecting computers worldwide. That will remain as our forecast; Trickbot was recently named by the DeepInstinct security researchers as responsible for the compromise of at least 250 million email accounts. It rode on the massive spam emails coming from computers that were already infected, in a campaign to cast a wider net for the banking trojan.
Trickbot used to use the flawed SMB protocol in unpatched versions of Windows to spread itself, navigate the network shared files and install itself deep into the operating system. Known as the “TrickBooster” update, TrickBot received a huge facelift in its history, as the banking trojan can now tap the address book of installed in the infected computer, sending phishing attacks to all the contacts of the user. As per DeepInstinct’s research of the new version of TrickBot, the use of user’s contacts further increases the trojan’s possibilities to infect more machines than it used to.
The new spam emails are unique, able to bypass the tried and tested antispam formula established by Outlook.com, Yahoomail.com and GMail.com. In fact, the most heavily infiltrated email address of TrickBot turned out to be from @gmail.com with 25 million unique instances of spam emails containing TrickBot. Yahoo Mail comes second, with 21 million of their customers received the spam email at least once and lastly Outlook.com users with 11 million instances.
“We analyzed the malware sample and found swaths of PowerShell code in its memory. Analysis of this PowerShell code immediately led us to the conclusion that we are dealing with a mail-bot. We discovered more samples of the malware, both signed and not, additional infrastructure used in the campaign – both to distribute (infection points) and control the malware (C2 Servers),” explained Shaul Vilkomir-Preisman, security researcher at DeepInstinct in their official website blog.
The new strain has the capability to hook to Outlook.exe creates a parallel thread, then executes a COM-based command. As it taps the Microsoft.Office.Interop.Outlook instance alongside CoCreateInstance, it hooks to OUTLOOK.exe via OleRun function. TrickBot 2.0 also incorporates advanced features that aid to its proliferation such as cookie theft capability and use legitimately looking digital certificates for the Microsoft Office attachments where it piggybacks.
Rumors have been circulating online discussing TrickBot’s new version were able to reach the mailboxes of United State’s federal agencies such as the Department of Transportation; NASA; Federal Aviation Administration; Internal Revenue Service; Social Security Administration; Department of Justice; Department of Homeland Security; Bureau of Prisons; and Bureau of Alcohol, Tobacco and Firearms.
Compared to the espionage accusations against Huawei Technologies of China, TrickBot authors have made success in stealing not only personally identifiable information but also banking data of Americans and other nationalities. “We continued monitoring the campaign and the infrastructure involved in it, both its infection points and C2 Servers, which were going on and off line, and employing various Geo-IP restrictions and other mechanisms to hamper analysis. It was at one of these servers that we found something that made us realize how successful this campaign is – an Email dump containing approximately 250 million Email addresses,” concluded Vilkomir-Preisman.