Despite partially successful takedowns in the past, a surge in Trickbot infections has compromised over 140,000 systems at customers of some of the world’s most prominent organisations including Amazon, Google and Microsoft since late 2020, but has left entities in the UK largely unscathed.
New figures released by Check Point Research reveal how the notorious banking trojan-turned-malware loader is being aimed at customers of high-profile and generally trustworthy organisations to steal and compromise their most sensitive data.
The list of 60 most-targeted corporations includes American Express, AOL, Barclays, Capital One, Citibank, JPMorgan Chase, LexisNexis, Paypal, Wells Fargo and Yahoo, and businesses in Asia-Pacific (APAC) seem to be the most affected, with organisations in China found to be the most vulnerable.
Overall, one in every 45, or 2.2% of global organisations have been affected by Trickbot, 3.3% in APAC, 2.1% in Latin America, 1.9% in Europe, 1.8% in Africa and 1.4% in North America. However, on a country-by-country basis, the UK emerges relatively unaffected, which may be read as a good reflection on British security teams.
“Trickbot’s numbers have been staggering. We’ve documented over 140,000 machines targeting the customers of some of the biggest and most reputable companies in the world,” said Check Point cyber security research and innovation manager, Alexander Chailytko.
“The Trickbot authors have the skills to approach malware development from a very low-level and pay attention to small details. Trickbot attacks high-profile victims to steal the credentials and provide its operators access to the portals with sensitive data where they can cause even more damage.
“At the same time, we know that the operators behind the infrastructure are very experienced with malware development on a high-level as well. The combination of these two factors is what allows Trickbot to remain a dangerous threat for more than five years already. I strongly urge people to only open documents from trusted sources and to use different passwords on different websites,” he said.
Trickbot is distributed via phishing emails containing malicious documents that if opened, allow macro execution to download the main Trickbot payload to establish persistence on the infected machines. Auxiliary Trickbot modules with differing functionality, up to 20 are currently known, can then be uploaded as needed by the threat actors.
Trickbot is generally very selective in how it chooses its targets, and incorporates various functionality, such as anti-analysis and anti-deobfuscation tools, to make it harder to detect and stop.
Even though the current round of infections seems to be giving the UK a wide berth, Trickbot can be stopped in its tracks by paying attention to some basic tenets of cyber hygiene. Users should only open documents they receive from trusted sources and should not enable macro execution inside documents; keep operating systems and antivirus up to date; and use different, strong passwords on different websites.
Jamie Akhtar, CEO and founder of Cybersmart, commented: “The continuing evolution of Trickbot is a very worrying development, particularly given that it can now be used to conduct a variety of attacks.
“Trickbot attacks rely on leveraging the names and branding of well-known financial institutions, so we urge everyone to take a second look at any communication they receive claiming to be from a bank. If something doesn’t seem right, it probably isn’t. Look out for communications that seem unusual – for example, would your bank ordinarily email you? And, if in doubt, always check with your provider.”