Trickbot Bounces Back - ThreatWire Crosspost

By Shannon Morse, ThreatWire 

TrickBot is back! And it’s bigger than ever! TrickBot is a major botnet that both US Cyber Command and Microsoft tried to disable during the election season by disabling its IP addresses for command and control servers, but since that time the attack is seeing a rebound of sorts. It first started in 2016 and was used as a banking trojan, but that has since evolved to steal credentials, financial data, and spread ransomware like Conti and Ryuk. TrickBot has been in steady use by attackers for the entire year, with a small dip after Microsoft disabled some of it’s servers. But it continues to grow in terms of versions.

Researchers started seeing a newer version of TrickBot malware, now totaling 100 versions, right after the elections. This new version has tricky ways of hiding it’s own activity, and is using Microsoft’s Windows command prompt and the scripting language built into the CMD, to easily find targets. Windows machines come with this built in natively so no additional third-party language is needed in order to execute commands on these systems.

Notably, TrickBot’s newer versions also include the ability to find new firmware vulnerabilities on victim's machines. The new functionality is dubbed TrickBoot and can allow an attacker to inject malicious code into the UEFI or BIOS, allowing for persistence on machines even after reboot. Since TrickBot can attack this crucial part of a machine, technically it could also erase it as well, thereby bricking a device.

TrickBot has been used for reconnaissance, so attackers are known to be collecting data on potential victims based on vulnerabilities. This information could be sold to the highest bidder or collected for a future attack, since researchers have noted that its ability to read, write, and erase are all written into the code. That indicates that recon isn’t the only motive for this piece of malware. 

Watch this on youtube: https://youtu.be/MwGyz8UFCrs

Shop ThreatWire Merch on Teespring! - https://teespring.com/stores/morsecode (Use the coupon code TURKEY for 15% off til Dec 10!)

Join now for a limited edition signed Christmas Card and to support ThreatWire!  https://www.patreon.com/threatwire

Links:

Trickbot:

https://www.cyberscoop.com/trickbot-status-microsoft-cyber-command-takedown/

https://arstechnica.com/information-technology/2020/12/dangerous-uefi-malware-is-rare-a-botnet-called-trickbot-may-change-that/

https://threatpost.com/trickbot-returns-bootkit-functions/161873/

https://www.cyberscoop.com/trickbot-firmware-vulnerability-detection-ability-eclypsium-bricking-devices/