ForcePoint: TrickBot spreading using Necurs botnet

TrickBot malware shifts from malvertising to Necurs botnet to spread, warns Malwarebytes

Back in mid-2016, Malwarebytes discovered a trojan called TrickBot, which targeted the banking sector. ForcePoint Security Labs, which is still tracking the evolving virus, has concluded that it is now being spread by a botnet.

Many links in the code suggest that it was developed by the same people involved in Dyreza; although it was written from scratch, TrickBot contained many similarities to the earlier malware, for example using a similar loader. Initially, it was spread through a malvertising campaign, and was targeting banks in Australia; later that year, it moved to the UK, and later still, began to spread to financial institutions in countries including Germany and the USA.

"[Phishing] is a beautiful concept: it's emails from ADP, your payroll, your HR organisation - it's a beautiful form of attack" - Marcin Kleczynski, CEO of Malwarebytes

Last week, ForcePoint observed a malicious email campaign originating from the Necurs botnet. Necurs is an established net that has been active for at least five years, but this was the first time it was seen working with TrickBot. The campaign last from about 9am to 6pm BST, and ForcePoint alone stopped almost 10 million emails.

The emails followed one of three layouts: those claiming to carry an invoice (with attached PDF document); those with a nonsense subject of eight random digits (and attached PDF); and those with a blank subject (and attached .doc, claiming to be a scan of something). Both types of attachments contained a document file with a macro downloader, which downloaded the trojan itself.

TrickBot continues to widen its focus

It is interesting to note that the campaign contained the group tag 'mac1'. It downloaded configuration files with an updated list of targeted financial institutions. From 51 targeted URLs seen in the 'dinj' configuration file in April, there are now 130, including 16 French banks and a number of PayPal URLs.

The 'sinj' configuration file had been similarly expanded; from 109 URLs to 333, including 34 institutions in the Nordics.

Human error (social engineering) is commonly referred to as the weak spot in security processes. Marcin Kleczynski, of Malwarebytes told us at InfoSec that his company - remember, one of the world's premiere security firms - had phished its own employees recently:

"[I]t was a click-through rate of five to six per cent. The breakdown was as follows: sales organisation, finance organisation, marketing organisation. They clicked the emails, entered their credentials; even emailed the helpdesk asking them to help open it. The research organisation on the other hand was like, "Hey, we disassembled these files, we looked inside - what are you trying to do to us?"

Computing 's Enterprise Security and Risk Management Summit 2017 will be held 23rd November at the Tower Bridge Hilton.