Despite its activities being disrupted by the concerted efforts of a team of cybersecurity firms in 2020, new research has revealed that Trickbot’s network of zombie computers may have launched a fresh campaign.

2021: Trickbot’s return?

Mere months since global cybersecurity experts banded together to thwart its insidious efforts, Trickbot malware has raised its ugly head ahead. While its early life began as a simple banking trojan, the headline-hitting malware evolved to be adopted by a wide range of cybercriminal operators due to its impressive flexibility. Modular in design, Trickbot malware enabled threat operators to deploy it in many forms of attack.

Two key sought-after properties by the cybercriminal world that the malware offered included its capacity for spreading itself throughout an enterprises network furthering infection, and its talent for stealing user logins.

Trickbot also rose through the cybercriminal ranks as a dedicated loader for other kinds of malicious software, with threat operators reaping the advantages of devices already laid vulnerable by Trickbot, to deliver other damaging payloads. This includes ransomware, crypto malware designed to render confidential data indecipherable to its users in order to force them to make payment for its timely release.

October 2020 saw a consortium of cybersecurity companies led by tech-giant Microsoft tackle Trickbot’s infrastructure in an attempt to shatter the malware botnet. However, researchers based at Meno Security have now uncovered a continuing malware campaign, which they say has a similar modus operandi to Trickbot activities last year.

A fresh wave of malware assaults

The recently revealed attacks seem to be solely aimed at North American insurance and legal firms. The attack vector involves targeted phishing emails that encourage victims to activate links that redirect them to a compromised server where they download a harmful payload.

The bogus scenario used in the emails involves claims that the victim has become involved with a traffic misdemeanour. The email directs them to examine evidence of their crime by clicking on the link, which is a common social engineering strategy to panic the victims into taking rash action.
If the target activates the link a zip archive file is downloaded to their device that includes an infected Javascript file. The file then makes the connection with a malicious server and downloads the final payload, infecting their device.

Not only is this technique textbook Trickbot, but under analysis, the payload was discovered to connect to specific domains known for distributing the malware on numerous occasions.

Director of security research for Menlo Security, Vinay Pidathala, commented:

“Where there’s a will, there’s a way. That proverb certainly holds true for the bad actors behind Trickbot’s operations. While Microsoft and its partners’ actions were commendable and Trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment.”

The new evidence revealed by Menlo Security suggests that Trickbot malware may yet represent a significant threat to enterprises across the world.