The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) warn of ongoing Trickbot attacks despite in October multiple security firms dismantled its C2 infrastructure in a joint operation.
On Wednesday, the two US agencies published an advisory to warn organizations of a new wave of attacks conducted by cybercrime actors that are leveraging a traffic infringement phishing scheme to trick victims into installing the TrickBot malware.
“The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spearphishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot.” reads the advisory.
TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features.
In October, Microsoft’s Defender team, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom’s cyber-security division Symantec joined the forces and announced a coordinated effort to take down the command and control infrastructure of the infamous TrickBot botnet.
Even if Microsoft and its partners have brought down the TrickBot infrastructure TrickBot operators attempted to resume the operations by setting up new command and control (C&C) servers online.
Following the takedown, the operators behind the TrickBot malware have implemented several improvements to make it more resilient.
A few days after the TrickBot takedown, Netscout researchers spotted a new TrickBot Linux variant that was used by its operators.
The joint advisory includes Indicators of Compromise (IoCs) and mitigations for these attacks.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, botnet)