A massive malicious spam campaign, along with the global takedown of Emotet, has vaulted the TrickBot trojan to the top of the Check Point’s list of the most popular malware among cybercriminals for February.
In January, TrickBot was ranked third on Check Point’s list, and it was fourth overall for 2020, while the No. 1 malware, Emotet, remained ascendant. But following the worldwide law-enforcement effort to take down Emotet in January, cybercriminals have pivoted to TrickBot, the report explained. Both strains are most often used as first-stage loaders for fetching additional malware.
“Even when a major threat is removed, there are many others that continue to pose a high risk on networks worldwide, so organizations must ensure they have robust security systems in place to prevent their networks from being compromised and minimize risks,” according to the Check Point report.
However, TrickBot hasn’t quite reached the same level of success as Emotet enjoyed before the crackdown, Check Point’s Omer Dembinsky told Threatpost.
“Although we still do not see another single threat reaching the scale of Emotet’s activity, the overall variety and volume of possible threats continues to pose an extremely high risk on networks and devices, and we have no doubt that the void left by Emotet’s takedown will be filled,” he said.
TrickBot Spam Campaign
TrickBot was used in a spam campaign in February targeting users working in the insurance and legal industries, which tried to get them to click on a malicious .ZIP archive, the report added. Cybercriminals likely picked TrickBot as their new tool of choice because of its record of success with other high-profile campaigns, like the 2020 attack on Universal Health Services, which used the malware to exfiltrate stolen data and deliver Ryuk ransomware to the system, Check Point added.
It’s flexibility is another aspect of TrickBot which makes it an attractive choice for cybercriminals, Check Point reported.
First developed in 2016 as banking trojan, TrickBot’s hallmark is its ability to evolve modularly to improve its capabilities and evade detection. Last December, a new module of TrickBot called “TrickBoot” emerged that allowed it to inspect UEFI/BIOS firmware of the targeted systems.
TrickBot Disrupted, But Recovered
TrickBot was also seriously disrupted by take-down action led by Microsoft last October in an effort to curb its spread.
“We disrupted TrickBot through a court order we obtained, as well as technical action we executed in partnership with telecommunications providers around the world,” wrote Tom Burt, corporate vice president, Customer Security & Trust, at Microsoft, at the time. “We have now cut off key infrastructure, so those operating TrickBot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.”
Clearly, TrickBot was able to not just recover, but return with a vengeance.
The second-most popular malware among threat actors in February, according to Check Point, was XMRing, which is currently being used in a campaign using a fake ad blocker to deliver both the XMRing cryptominer, as well as ransomware, for a double-whammy attack. In total, the XMRing cryptominer/ransomware attack has infected more than 20,000 users in the past two months, Kaspersky warned in a recent report.
Top Vulnerabilities, Mobile Threats
The most exploited vulnerability for February was “Web Server Exposed Git Repository Information Disclosure,” which impacted 48 percent of organizations globally, Check Point’s report said. Second was “HTTP Headers Remote Code Execution (CVE-2020-13756),” which impacted 46 percent of worldwide orgs, and “MVPower DVR Remote Code Execution” was third, affecting 45 percent.
No. 1 on the mobile malware list is Hiddad, followed by xHelper malicious app with ad stuffer and the FurBall mobile remote access trojan (MRAT).
Besides regular patching and updates to protect from known vulnerabilities, Check Point recommends user training as the best means of protecting any organization from cybersecurity breaches.
“Comprehensive training for all employees is crucial, so they are equipped with the skills needed to identify the types of malicious emails which spread Trickbot and other malware,” Check Point said.
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- March 24: Economics of 0-Day Disclosures: The Good, Bad and Ugly (Learn more and register!)
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)