0

Check Point Research (CPR) discovers sophisticated details of the implementation of Trickbot, learning that the notorious banking trojan has infected over 140,000 machines of customers from Amazon, Microsoft, Google and 57 other corporations world-wide, since November 2020. Trickbot’s authors are selectively going after high-profile targets to steal and compromise their sensitive data. Additional, Trickbot’s infrastructure can be utilized by various malware families to cause more damage on infected machines. CPR urges the public to only open documents from trusted sources, as Trickbots authors are leveraging anti-analysis and anti-obfuscation techniques to persist on machines.

  • CPR provides a list of 60 corporations whose customers have been infected by Trickbot
  • Most infected regions in order: APAC, Latin America, Europe, Africa, North America
  • CPR recommends three security and safety tips from Trickbot
RELATED Remote Work Creating Gaps In Organizations’ Security Practices, Says Check Point Software’s Assessment

Check Point Research (CPR) has discovered new and sophisticated details of the implementation of Trickbot. A well-known banking Trojan, Trickbot steals and compromises the data of its victims, targeting high-profile victims. CPR counts over 140,000 machines infected by Trickbot since November 2020, many of which are customers of well-known corporations, such as Amazon, Microsoft, Google and PayPal. In total, CPR documented 60 corporations whose customers have fallen victim to Trickbot throughout the past 14 months.

Figure 1. Several companies whose customers are targeted by Trickbot

Key Implementation Details of Trickbot

  • Malware is very selective in how it chooses its targets
  • Various tricks – including anti-analysis and anti-Deobfuscation – implemented inside the modules show the authors’ highly technical background
  • Trickbots infrastructure can be utilized by various malware families to cause more damage on infected machines
  • Sophisticated and versatile malware with more than 20 modules that can be downloaded and executed on demand

How Trickbot Works:

  1. Threat actors receive a database of stolen emails and send malicious documents to the chosen addresses
  2. The user downloads and opens such a document, allowing macro execution in the process
  3. The first stage of malware is executed, and the main Trickbot payload is downloaded
  4. The main Trickbot payload is executed and establishes its persistence on the infected machine.
  5. Auxiliary Trickbot modules can be uploaded to the infected machine on demand by the threat actors, the functionality of such modules may vary: it may be spreading via compromised corporate network, stealing corporate credentials, grabbing login details to banking sites, etc.

Scope of Impact

ADVERTISEMENT

Below is a heat-map with the percentage of organizations that were affected by Trickbot in each country according to our data of telemetry:

Figure 2. Percentage of impacted organizations by Trickbot (the darker the color – the higher the impact)

ADVERTISEMENT

 

Below is a table that shows the percentage of organizations affected by Trickbot in each region:

Region Organizations affected Percentage
World 1 of every 45 2.2%
APAC 1 of every 30 3.3%
Latin America 1 of every 47 2.1%
Europe 1 of every 54 1.9%
Africa 1 of every 57 1.8%
North America 1 of every 69 1.4%

 

Quote: Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software Technologies,

“Trickbot’s numbers have been staggering. We’ve documented over 140,000 machines targeting the customers of some of the biggest and most reputable companies in the world. We went onto observe that the Trickbot authors have the skills to approach malware development from a very low-level and pay attention to small details. Trickbot attacks high-profile victims to steal the credentials and provide its operators access to the portals with sensitive data where they can cause even more damage. At the same time, we know that the operators behind the infrastructure are very experienced with malware development on a high-level as well. The combination of these two factors is what allows Trickbot to remain a dangerous threat for more than 5 years already. I strongly urge people to only open documents from trusted sources and to use different passwords on different web-sites.”

Security Tips

  1. Only open documents you receive from trusted sources. Do not enable macro execution inside the documents.
    2. Make sure you have the latest operating system and anti-virus updates up and running.
    3. Use different passwords on different web-sites.

Appendix – The list of targeted companies

Company Field
Amazon E-commerce
AmericanExpress Credit Card Service
AmeriTrade Financial Services
AOL Online service provider
Associated Banc-Corp Bank Holding
BancorpSouth Bank
Bank of Montreal Investment Banking
Barclays Bank Delaware Bank
Blockchain.com Cryptocurrency Financial Services
Canadian Imperial Bank of Commerce Financial Services
Capital One Bank Holding
Card Center Direct Digital Banking
Centennial Bank Bank Holding
Chase Consumer Banking
Citi Financial Services
Citibank Digital Banking
Citizens Financial Group Bank
Coamerica Financial Services
Columbia Bank Bank
Desjardins Group Financial Services
E-Trade Financial Services
Fidelity Financial Services
Fifth Third Bank
FundsXpress IT Service Management
Google Technology
GoToMyCard Financial Services
HawaiiUSA Federal Credit Union Credit Union
Huntington Bancshares Bank Holding
Huntington Bank Bank Holding
Interactive Brokers Financial Services
JPMorgan Chase Investment Banking
KeyBank Bank
LexisNexis Data mining
M&T Bank Bank
Microsoft Technology
Navy Federal Credit Union
paypal Financial Technology
PNC Bank Bank
RBC Bank Bank
Robinhood Stock Trading
Royal Bank of Canada Financial Services
Schwab Financial Services
Scotiabank Canada Bank
SunTrust Bank Bank Holding
Synchrony Financial Services
Synovus Financial Services
T. Rowe Price Investment Management
TD Bank Bank
TD Commercial Banking Financial Services
TIAA Insurance
Truist Financial Bank Holding
U.S. Bancorp Bank Holding
UnionBank Commercial Banking
USAA Financial Services
Vanguard Investment Management
Wells Fargo Financial Services
Yahoo Technology
ZoomInfo Software as a service

More in News

You may also like