-

Check Point Research (CPR) discovers sophisticated details of the implementation of Trickbot, learning that the notorious banking trojan has infected over 140,000 machines of customers from Amazon, Microsoft, Google and 57 other corporations world-wide, since November 2020. Trickbot’s authors are selectively going after high-profile targets to steal and compromise their sensitive data. Additional, Trickbot’s infrastructure can be utilized by various malware families to cause more damage on infected machines. CPR urges the public to only open documents from trusted sources, as Trickbots authors are leveraging anti-analysis and anti-obfuscation techniques to persist on machines.

 

  • CPR provides a list of 60 corporations whose customers have been infected by Trickbot
  • Most infected regions in order: APAC, Latin America, Europe, Africa, North America
  • CPR recommends three security and safety tips from Trickbot

 

Check Point Research (CPR) has discovered new and sophisticated details of the implementation of Trickbot. A well-known banking Trojan, Trickbot steals and compromises the data of its victims, targeting high-profile victims. CPR counts over 140,000 machines infected by Trickbot since November 2020, many of which are customers of well-known corporations, such as Amazon, Microsoft, Google and PayPal. In total, CPR documented 60 corporations whose customers have fallen victim to Trickbot throughout the past 14 months.

 

Figure 1. Several companies whose customers are targeted by Trickbot

image004.png@01D821E3 

 

 

 

 

 

 

 

 

 

Key Implementation Details of Trickbot

  • Malware is very selective in how it chooses its targets
  • Various tricks – including anti-analysis and anti-Deobfuscation – implemented inside the modules show the authors’ highly technical background
  • Trickbots infrastructure can be utilized by various malware families to cause more damage on infected machines
  • Sophisticated and versatile malware with more than 20 modules that can be downloaded and executed on demand

 

How Trickbot Works:

  1. Threat actors receive a database of stolen emails and send malicious documents to the chosen addresses
  2. The user downloads and opens such a document, allowing macro execution in the process
  3. The first stage of malware is executed, and the main Trickbot payload is downloaded
  4. The main Trickbot payload is executed and establishes its persistence on the infected machine.
  5. Auxiliary Trickbot modules can be uploaded to the infected machine on demand by the threat actors, the functionality of such modules may vary: it may be spreading via compromised corporate network, stealing corporate credentials, grabbing login details to banking sites, etc.

 

Scope of Impact

Below is a heat-map with the percentage of organizations that were affected by Trickbot in each country according to our data of telemetry:

 

Figure 2. Percentage of impacted organizations by Trickbot (the darker the color – the higher the impact)

 

 

Below is a table that shows the percentage of organizations affected by Trickbot in each region:

Region

Organizations affected

Percentage

World

1 of every 45

2.2%

APAC

1 of every 30

3.3%

Latin America

1 of every 47

2.1%

Europe

1 of every 54

1.9%

Africa

1 of every 57

1.8%

North America

1 of every 69

1.4%

 

Quote: Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software Technologies,

“Trickbot’s numbers have been staggering. We’ve documented over 140,000 machines targeting the customers of some of the biggest and most reputable companies in the world. We went onto observe that the Trickbot authors have the skills to approach malware development from a very low-level and pay attention to small details. Trickbot attacks high-profile victims to steal the credentials and provide its operators access to the portals with sensitive data where they can cause even more damage. At the same time, we know that the operators behind the infrastructure are very experienced with malware development on a high-level as well. The combination of these two factors is what allows Trickbot to remain a dangerous threat for more than 5 years already. I strongly urge people to only open documents from trusted sources and to use different passwords on different web-sites.”

 

Security Tips

1. Only open documents you receive from trusted sources. Do not enable macro execution inside the documents.2. Make sure you have the latest operating system and anti-virus updates up and running.3. Use different passwords on different web-sites.

 

Appendix – The list of targeted companies

Company

Field

Amazon

E-commerce

AmericanExpress

Credit Card Service

AmeriTrade

Financial Services

AOL

Online service provider

Associated Banc-Corp

Bank Holding

BancorpSouth

Bank

Bank of Montreal

Investment Banking

Barclays Bank Delaware

Bank

Blockchain.com

Cryptocurrency Financial Services

Canadian Imperial Bank of Commerce

Financial Services

Capital One

Bank Holding

Card Center Direct

Digital Banking

Centennial Bank

Bank Holding

Chase

Consumer Banking

Citi

Financial Services

Citibank

Digital Banking

Citizens Financial Group

Bank

Coamerica

Financial Services

Columbia Bank

Bank

Desjardins Group

Financial Services

E-Trade

Financial Services

Fidelity

Financial Services

Fifth Third

Bank

FundsXpress

IT Service Management

Google

Technology

GoToMyCard

Financial Services

HawaiiUSA Federal Credit Union

Credit Union

Huntington Bancshares

Bank Holding

Huntington Bank

Bank Holding

Interactive Brokers

Financial Services

JPMorgan Chase

Investment Banking

KeyBank

Bank

LexisNexis

Data mining

M&T Bank

Bank

Microsoft

Technology

Navy Federal

Credit Union

paypal

Financial Technology

PNC Bank

Bank

RBC Bank

Bank

Robinhood

Stock Trading

Royal Bank of Canada

Financial Services

Schwab

Financial Services

Scotiabank Canada

Bank

SunTrust Bank

Bank Holding

Synchrony

Financial Services

Synovus

Financial Services

T. Rowe Price

Investment Management

TD Bank

Bank

TD Commercial Banking

Financial Services

TIAA

Insurance

Truist Financial

Bank Holding

U.S. Bancorp

Bank Holding

UnionBank

Commercial Banking

USAA

Financial Services

Vanguard

Investment Management

Wells Fargo

Financial Services

Yahoo

Technology

ZoomInfo

Software as a service

 

Comments

Post a Comment

Popular posts from this blog

Empowering Business Connectivity and Innovation: Insights from HPE and Tarsus Leadership

-
In a recent conversation, leaders from HPE shared their strategic initiatives and technological advancements designed to empower businesses in the digital landscape. Here are some key insights from the discussion: Introducing the Panel • Mandy Duncan, South Africa Country Manager at HPE Aruba • Michael Langeveld, Head of Technology & Business Development, HPE South Africa • President Ntuli, Managing Director at HPE South Africa Connecting with the Channel Community HPE’s strategy emphasizes connecting with its channel community. Mandy Duncan highlighted the importance of leveraging ecosystems across various geographies to drive business outcomes. HPE aims to create long-term, sustainable partnerships beyond short-term revenue goals. Announcements and Innovations 1. Data Protection as a Service: HPE announced a partnership with distributor Tarsus to introduce data protection as a service, addressing cybersecurity concerns such as ransomware.  2. Hybrid Cloud ...
Read more

Vodacom Group enhances employee offerings to endorse inclusivity and promote well-being.

-
Image
Vodacom Group, recently ranked by the Top Employers Institute as the continent’s number one employer, has now enhanced some of its employee offerings as part of its commitment to creating an inclusive work environment across its markets. With an emphasis on Compassion, Acceptance, Respect and Empathy (C.A.R.E.), the company’s enhanced wellness initiatives include support for all stages of life, such as menopause, and a more encompassing family responsibility leave policy. “Our employees are the heart of Vodacom. We believe that their well-being contributes directly to our success as a company in fulfilling our purpose of connecting for a better future. By enhancing our employee value proposition through empathetic and inclusive policies and practices, we are creating a workplace culture where people feel empowered to thrive and make a positive impact on their career journey,” says Matimba Mbungela, Chief Human Resources Officer for Vodacom Group.  In a  recent research report ...
Read more

How can we grow young female entrepreneurship in South Africa?

-
Image
  How can we grow young female entrepreneurship in South Africa? By Linda McClure, Raizcorp COO South Africa, like many countries globally, grapples with the challenge of  youth unemployment . This is supported by statistics indicating a 45,5% unemployment rate among young individuals (aged 15-34 years), in contrast to the national average of 32,9% in the first quarter of 2024. It’s clear, though, that the struggle continues for many South African women – specifically in the area of small business and entrepreneurship. According to the World Bank, Africa boasts the highest growth rate of female-run businesses in the world. But down on the southernmost tip of the continent, women are still in the minority when it comes to entrepreneurship. While more than half of South Africa’s population is female, only 38% of SMEs are women owned and led. Despite these benefits and the potential of entrepreneurship to improve the socio-economic empowerment of  women in South Africa, ...
Read more