TrickBot, an aggressive strain of banking trojan, has been spreading through phishing emails
TrickBot, an aggressive strain of banking trojan, has been spreading through phishing emails disguised as coming from the US Department of Labor concerning the Family and Medical Leave Act (FMLA). FMLA is a federal level act that provides unpaid time off to employees to care for sick family members while protecting their job so that they can return to work once they’re done caring for their families. FMLA has strict requirements, such as being employed by the employer for 12 months, working at least 1,200 hours in the last 12 months (100 hours a month, or ~25 hours a week), and at a location with at least 50 employees within employed within 75 miles.
Needless to say, employees have been making use of this federally mandated leave to take care of their loved ones who have been infected with Covid-19. Furthermore, President Trump has increased the benefits provided by the program recently, which makes it an easier target for attackers as they can capitalize on not arousing suspicion by sending an email that disguises itself as information about the new benefits.
These phishing emails include malware embedded in attachments, which reach out to a command-and-control node to later install TrickBot. This two-step process helps the email make it through spam filters, which will be actively looking for TrickBot and because it’s easier to hide a few lines of unknown malicious code. The problem with this deployment process is that, as seen by IBM-X Force, the call to the command-and-control node can fail and TrickBot is never installed. This doesn’t mean that the infected device won’t call out again, but it does mean it’s possible to disrupt the attack by disabling the command-and-control address. Once installed, TrickBot beings capturing and transmitting data while also increasing its permissions and installing more malware.