Security experts from Bitdefender recently discovered a new TrickBot variant that is targeting telecommunications organizations in the United States and Hong Kong.
TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features. For example, in February 2019 Trend Micro detected a variant that includes a new module used for Remote App Credential-Grabbing.
This new variant includes a module dubbed
“The new module was discovered on January 30, and its main functionality is to perform
The module appears to be under development, but experts pointed out that threat actors already used it to target organizations, mostly in telecoms, education, and financial services sectors.
The module implements three attack modes, named check,
The check mode should check for
Upon the TrickBot infection, the malware awaits commands from the command and control (C&C) server. The Trojan could load
The downloaded plugins allow the malware to perform lateral movements, reconnaissance, data harvesting, set foothold,
Researchers retrieved 3,460 IP addresses associated with TrickBot, 2,926 were related to C&C servers, 556 were used to provide new plugins, and 22 used for both functionalities. Experts noticed that around 100 new IPs were added to the infrastructure each month, each IP was used on average 16 days.
The analysis of the distribution of the infections revealed that most of the victims over the past month were in the United States (nearly 30,000), with Spain (10,000) and Canada (3,500) rounding up the top three.