Protect Your Business from the 'Trickbot' Banking Trojan
March 2, 2020
What is Trickbot?
Trickbot is an established banking trojan used in cyber attacks against businesses and individuals in the UK and overseas. Trickbot attacks are designed to access online accounts, including bank accounts, in order to obtain personally identifiable information (PII). Criminals use PII to commit identity fraud.
In some cases, Trickbot is used to infiltrate a network. Once inside it can be used to deploy other malware, including ransomware and post-exploitation toolkits.
What can Trickbot do?
Trickbot can download new capabilities onto a victim’s device (as well as updating those it has already deployed) without interaction from the victim.
Trickbot can:
Dealing with a possible Trickbot infection
Victims of Trickbot have observed a number of malicious activities, including:
To protect business and personal banking facilities (including where employees have accessed personal banking from work devices) you should:
Mitigations
Book a Free Cyber Clinic
Trickbot is an established banking trojan used in cyber attacks against businesses and individuals in the UK and overseas. Trickbot attacks are designed to access online accounts, including bank accounts, in order to obtain personally identifiable information (PII). Criminals use PII to commit identity fraud.
In some cases, Trickbot is used to infiltrate a network. Once inside it can be used to deploy other malware, including ransomware and post-exploitation toolkits.
Trickbot targets victims with well-crafted phishing emails, designed to appear as though sent from trusted commercial or government brands. These emails will often contain an attachment (or link to an attachment) which victims are instructed to open, leading to their machine being exploited.
Trickbot can download new capabilities onto a victim’s device (as well as updating those it has already deployed) without interaction from the victim.
Trickbot can:
- steal sensitive information, including banking login details and memorable information
- gather detailed information about infected devices and networks
- steal saved online account passwords, cookies and web history
- steal login credentials for infected devices, including domain credentials
- connect infected devices to malicious, criminally-controlled networks over the internet, giving criminals full control of them
- spread across a victim’s network by infecting other devices, including those on trusted domains (known as lateral movement), often using SMB shares
- download further malicious files such as Remote Access Tools, VNC clients and ransomware
Dealing with a possible Trickbot infection
Victims of Trickbot have observed a number of malicious activities, including:
- unauthorised access attempts to online accounts
- successful, fraudulent bank transfer activity
- unauthorised changes to their network infrastructure
To protect business and personal banking facilities (including where employees have accessed personal banking from work devices) you should:
- consider changing passwords and memorable information for any corporate, business or personal internet banking facilities (or other online resources) accessed from the infected network
- review bank and credit card statements for suspicious activity, and report any findings to your bank
- advise any employees who have accessed online banking facilities from the affected network to do likewise
If you (or your employees) have been the victim of fraud, report it to Action Fraud.
Protective action to take now
Run a full scan on all devices using up-to-date antivirus software. This should detect and remove any Trickbot infection.
- Use the latest supported versions of operating systems and software, apply security patches promptly, use antivirus and scan regularly to guard against known malware threats.
- Keep antivirus software up to date, and consider the use of a cloud-backed antivirus product that can benefit from the improved threat intelligence and advanced analysis which large scale operations bring. Ensure that antivirus software is capable of scanning MS Office macros.
- Make sure important data is stored in an offline backup, to reduce the impact of ransomware.
- Use multi-factor authentication (MFA), also known as two-step verification or 2-factor authentication (2FA).
- Prevent and detect lateral movement in your enterprise networks.
- Implement architectural controls for network segregation. This would help mitigate the exposure of the SMB issues described above.
- Set up a security monitoring capability so you can collect the data needed to analyse network intrusions.
- If supported by your operating environment, consider whitelisting permitted applications. This will help prevent malicious applications from running.
Regularly Test Your Systems
It is important to regularly test your systems and stay one step ahead of the attacker. Find out how we can help you by booking a FREE Cyber Clinic and receive a no obligation quote from our cyber experts.
Book a Free Cyber Clinic today to see how we can defend your business.
Follow Us
Be the first to know
You might also like
DevOps is a popular practice, especially among large organizations. However, while it comes with numerous benefits, it presents numerous risks as well. One notable challenge is the increased velocity of deployment, which often complicates how developers implement and ensure application security throughout the development and deployment process. DevOps is a popular practice, especially among large organizations. However, while it comes with numerous benefits, it presents numerous risks as well. One notable challenge is the increased velocity of deployment, which often complicates how developers implement and ensure application security throughout the development and deployment process. According to a recent survey, almost 80% of CIOs expressed concerns about the difficulty of discerning trusted elements from untrusted ones within DevOps environments. In particular, the pressure to deliver services at a faster pace sometimes prompts DevOps teams to take security shortcuts, resulting in potentially costly repercussions. These include data breaches, application downtime, and compliance violations. So, how can you strike a balance between the demand for agile DevOps practices and the need to maintain robust security measures?
Testing applications for security flaws during production is a vital process of the development lifecycle, and this is where Dynamic Application Security Testing (DAST) comes in. DAST is a security testing approach in application security (AppSec), in which testers assess an application in real-time, while it’s actively running. This process can be conducted even without testers knowing the application’s internal interactions or system-level designs. Applications fuel the engine of the world’s economy, but enterprises can encounter substantial hurdles when striving to retain a competitive advantage in a rapidly changing digital landscape. Businesses must continuously pursue inventive solutions, even as they contend with sophisticated adversaries looking to exploit opportunities to disrupt operations, compromise vital information, and inflict harm. According to recent research, approximately 17% of cyberattacks aim to exploit vulnerable web applications. Yet, 98% of web applications are susceptible to attacks that can lead to malware infection or redirect users to malicious websites. All the while, 72% of these vulnerabilities result from coding errors. Testing applications for security flaws during production is a vital process of the development lifecycle, and this is where Dynamic Application Security Testing (DAST) comes in. DAST is a security testing approach in application security (AppSec), in which testers assess an application in real-time, while it’s actively running. This process can be conducted even without testers knowing the application’s internal interactions or system-level designs. This is because DAST tools operate without access to the application’s source code. Instead, they emulate genuine attacks, akin to those carried out by real hackers, to identify security weaknesses. This “black box” testing method examines the application from an external perspective, scrutinises its runtime behaviour, and observes how it reacts to simulated attacks. These simulations help evaluate whether the application exhibits vulnerabilities and if it is potentially susceptible to malicious attacks.
In this blog post we look back at the origin of the term “hacking”, as well as how activities that might be described as hacking have existed throughout history, even prior to the advent of computer systems – and what if anything these can teach us today. Hacking is attacking and breaking into computer systems illegally… isn’t it? The meaning of the term “hacking” has in fact changed substantially over time, morphing from describing essentially benign (or at worst mildly disruptive) activities into its modern attribution to largely criminal and illegal activities. What’s more, in its original usage, “hacking” doesn’t necessarily even need to involve computer systems at all. In this blog post we look back at the origin of the term “hacking”, as well as how activities that might be described as hacking have existed throughout history, even prior to the advent of computer systems – and what if anything these can teach us today.