The versatile malware known as TrickBot continues to pose “great danger” to customers of financial and technology companies because its developers are trying to stay a step ahead of cybersecurity analysts, according to Check Point Research.
The company says TrickBot’s authors have equipped it with layers of “anti-analysis” and “anti-deobfuscation” capabilities, meaning that if an expert tries to pick apart the malware’s code, it stops communicating with its command-and-control servers or stops working altogether. Those features “show the authors’ highly technical background and explain why Trickbot remains a very prevalent malware family,” Check Point says in research published Wednesday.
The danger remains clear, too: Check Point says the various modules of TrickBot are often deployed for stealing login credentials from customers of several large banks, including Bank of America and Wells Fargo, as well as big tech firms like Microsoft and Amazon. About 60 companies are affected overall. “These brands are not the victims but their customers might be the targets,” Check Point says.
One of TrickBot’s strengths is its ability to perpetuate itself — a feature that established its early reputation as botnet software. Check Point’s latest research shows how the malware’s developers have branched out, and with purpose. TrickBot has been linked to Russian origins, but Check Point doesn’t speculate on where the code might be coming from now.
The developers “have the skills to approach malware development from a very low-level and pay attention to small details. … At the same time, we know that the operators behind the infrastructure are very experienced with malware development on a high-level as well,” says Alexander Chailytko, the cybersecurity, research and innovation manager at Check Point. “The combination of these two factors is what allows Trickbot to remain a dangerous threat for more than 5 years already.”
Israel-based Check Point noted in December 2021 that TrickBot had bounced back despite operations by Microsoft and U.S. Cyber Command that stunted it before the 2020 U.S. elections. Not only had the company identified at least 140,000 new victims, as of late last year, but the malware also was helping to revive the Emotet botnet.
Since the 2020 takedown, TrickBot’s developers have updated a “web injection” module that captures emails and passwords from unsuspecting website users, Check Point says. The report also identifies code that captures and spreads credentials in part by using techniques with names familiar to cybersecurity researchers: Mimikatz and EternalRomance. Another module steals credentials from applications like popular web browsers, email programs, FTP clients and VPN providers, Check Point says.
TrickBot has more than 20 modules overall, and they “allow the execution of all kinds of malicious activities” will posing “great danger” to the data and potentially the bank accounts of victims, Check Point says.
One of Trickbot’s alleged developers, Vladimir Dunaev, was extradited to the U.S. last year on charges of computer fraud, bank fraud, wire fraud, money laundering and identity theft.