TrickBot Ravages Customers of Amazon, PayPal and Other Top Brands

upnorth

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Content source
https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/
Cyberattackers are targeting 60 different high-profile companies with the TrickBot malware, researchers have warned, with many of those in the U.S. The goal is to attack those companies’ customers, according to Check Point Research (CPR), which are being cherry-picked for victimization. According to a Wednesday CPR writeup, TrickBot is targeting well-known brands that include Amazon, American Express, JPMorgan Chase, Microsoft, Navy Federal Credit Union, PayPal, RBC, Yahoo and others.
Click to expand...
The TrickBot malware was originally a banking trojan, but it has evolved well beyond those humble beginnings to become a wide-ranging credential-stealer and initial-access threat, often responsible for fetching second-stage binaries such as ransomware. Since the well-publicized law-enforcement takedown of its infrastructure in October 2020, the threat has clawed its way back, now sporting more than 20 different modules that can be downloaded and executed on demand. It typically spreads via emails, though the latest campaign adds self-propagation via the EternalRomance vulnerability.
Click to expand...
The version of TrickBot that CPR found being used in the current campaign sports three freshened-up modules of note, researchers said:
  • injectDll
  • tabDll
  • pwgrabc

TrickBot’s ‘injectDll’: A Web-Injects Module

Web injects are well-known from the banking-trojan world; they are used to present targets with overlaid facsimiles of real banking log-in sites; when a victim tries to sign on, they steal the credential data, and can pave the way for drained bank accounts and fraudulent wire transfers down the road. This particular module has added a web-injects format from the infamous Zeus banking trojan, researchers said, which collects information from login actions on targeted sites and sends it to a command-and-control server (C2). “The injectDll module performs browser data injection, including JavaScript which targets customers of 60 high-profile companies,” according to the writeup. “Add Trickbot’s cherry-picking of victims, and the menace becomes even more dangerous.”

On the anti-analysis front, the payload injected into the banking site’s page is minified (making the code size smaller makes the code unreadable), obfuscated and contains anti-deobfuscation techniques, researchers said. The final payload, which contains the actual code that grabs the victim’s keystrokes and web form submit actions, is also minified and obfuscated and contains a few layers of anti-deobfuscation techniques, they said. “Usually a researcher tries to analyze minified and obfuscated JavaScript code using tools like JavaScript Beautifiers, deobfuscators like de4js, and so on,” they explained. “After we applied these tools, we noticed that although the code became more readable, it also stopped working.”
Click to expand...

TrickBot’s ‘tabDLL’ Module

The second new development is a dynamic link library (DLL), also used to grab user credentials. Its ultimate goal is to spread the malware via network shares, researchers noted. tabDLL uses a multi-step process, as CPR laid out. In sequence, the module does the following:
  1. Enable the storing of user credential information in the LSASS application;
  2. Inject the “Locker” module into the legitimate explorer.exe application;
  3. From the infected explorer.exe, force the user to enter login credentials to the application, then lock the user’s session;
  4. Store the credentials in the LSASS application memory;
  5. Grab the credentials from the LSASS application memory using Mimikatz, which is an open-source tool for extracting data from an application’s memory;
  6. Report credentials to the C2;
  7. And, use the EternalRomance exploit to spread to other targets inside the network via SMBv1 network shares.
Click to expand...

TrickBot’s ‘pwgrabc’ Module

The pwgrabc module, as its name suggests, is a catch-all credential stealer for various applications.

The targeted applications are as follows: AnyConnect ; Chrome ; ChromeBeta ; Edge ; EdgeBeta ; Filezilla ; Firefox ; Git ; Internet Explorer ; KeePass ; OpenSSH ; OpenVPN ; Outlook ; Precious ; Putty ; RDCMan ; RDP ; TeamViewer ; VNC ; and WinSCP.
Click to expand...
threatpost.com

TrickBot Ravages Customers of Amazon, PayPal and Other Top Brands

The resurgent trojan has targeted 60 top companies to harvest credentials for a wide range of applications, with an eye to virulent follow-on attacks.
threatpost.com threatpost.com
 
  • +Reputation
  • Like
Reactions: HarborFront, Venustus, Kongo and 4 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
Classiscam fraud-as-a-service expands, now targets banks and 251 brands
Replies
0
Views
892
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
silversurfer
    • Like
    • +Reputation
Malware News New JavaScript Malware Targeted 50,000+ Users at Dozens of Banks Worldwide
Replies
2
Views
961
Security News
nicolaasjan
nicolaasjan
silversurfer
    • Like
    • +Reputation
Xenomorph Android Malware Targets Customers of 30 US Banks
Replies
0
Views
1,153
News Archive
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top