Security experts from Bitdefender recently discovered a new TrickBot variant that is targeting telecommunications organizations in the United States and Hong Kong.
TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features. For example, in February 2019 Trend Micro detected a variant that includes a new module used for Remote App Credential-Grabbing.
This new variant includes a module dubbed
“The new module was discovered on January 30, and its main functionality is to perform
The module appears to be under development, but experts pointed out that threat actors already used it to target organizations, mostly in telecoms, education, and financial services sectors.
The module implements three attack modes, named check,
The check mode should check for
Upon the TrickBot infection, the malware awaits commands from the command and control (C&C) server. The Trojan could load
The downloaded plugins allow the malware to perform lateral movements, reconnaissance, data harvesting, set foothold,
Researchers retrieved 3,460 IP addresses associated with TrickBot, 2,926 were related to C&C servers, 556 were used to provide new plugins, and 22 used for both functionalities. Experts noticed that around 100 new IPs were added to the infrastructure each month, each IP was used on average 16 days.
The analysis of the distribution of the infections revealed that most of the victims over the past month were in the United States (nearly 30,000), with Spain (10,000) and Canada (3,500) rounding up the top three.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.