CISA and FBI warn of ongoing TrickBot attacks

CISA and FBI are warning of ongoing TrickBot attacks despite security firms took down the C2 infrastructure of the infamous botnet in October.

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) warn of ongoing Trickbot attacks despite in October multiple security firms dismantled its C2 infrastructure in a joint operation.

On Wednesday, the two US agencies published an advisory to warn organizations of a new wave of attacks conducted by cybercrime actors that are leveraging a traffic infringement phishing scheme to trick victims into installing the TrickBot malware.

“The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spearphishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot.” reads the advisory.

TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features.

In October, Microsoft’s Defender team, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom’s cyber-security division Symantec joined the forces and announced a coordinated effort to take down the command and control infrastructure of the infamous TrickBot botnet.

Even if Microsoft and its partners have brought down the TrickBot infrastructure TrickBot operators attempted to resume the operations by setting up new command and control (C&C) servers online.

Following the takedown, the operators behind the TrickBot malware have implemented several improvements to make it more resilient.

A few days after the TrickBot takedown, Netscout researchers spotted a new TrickBot Linux variant that was used by its operators.

Security researchers also reported that the botnet was used to spread other threats, such as Ryuk ransomware, Conti ransomware, Conti ransomware, orand also an Emotet downloader.

“CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation, to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation.” continues the report. “In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s command and control (C2) server to download TrickBot to the victim’s system.”

Upon clicking on the image hosted on the compromised website, a malicious JavaScript file is downloaded and run, then the malicious code connects to the attackers’ C2 server to fetch and execute the bot on the victim’s machine.

The joint advisory includes Indicators of Compromise (IoCs) and mitigations for these attacks.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]