Evasive Trickbot Attacks 60 High-Profile Companies

Checkpoint Research has released findings on Evasive Trickbot and their Attacks on 60 High-Profile Companies.

Trickbot is a sophisticated and versatile malware with more than 20 modules that can be downloaded and executed on demand. Such modules allow the execution of all kinds of malicious activities and pose great danger to the customers of 60 high-profile financial (including cryptocurrency) and technology companies, mainly located in the United States. 

Checkpoint has called out this variant’s de-obfuscation and anti-analysis elements. Companies that Checkpoint has observed Trickbot targeting include Amazon, American Express, JPMorgan Chase, Microsoft, Yahoo and more.

Saryu Nayyar, CEO and Founder, Gurucul had this to say:

     “We not only see variants created based on more recently successful malware, but we even see threat actors use malware that is even twenty years old to generate new variants. As can be seen by Trickbot, even when a threat actor group is broken up, their legacy lives on to as other groups can inherent their tools, tactics and procedures with their own modifications and improvements to evade current detection techniques. Why does this occur? Unfortunately, with the rise of security analytics, too many vendors starting claiming Machine Learning (ML) and Artificial Intelligence (AI) ‘engines’ to assist human security analysts and SOC teams in correlating and presumably analyzing events across large swaths of time. The reality was that these were static rule-based, think pre-defined flow-chart models, for identifying an attack campaign. Certainly, useful for catching a known attack campaign targeting an organization, but hardly helpful for new attacks or variants as it would “break” the flow-chart and be missed as a new attack. The other challenge is vendors that did have legitimate ML/AI could not keep up with all the attacks and variants and would create a limited set of models that were broad in scope and not very precise. The result was an increase of false positives that led security teams further astray rather than actually help them determine if a new attack was targeting their organization. This is wear truly self-learning ML/AI with a robust library of threat modeling is critical to automate detection of the attack and accelerate response by security teams.”

Seeing that Trickbot is so versatile for threat actors, it means your response needs to be just as versatile. Thus it’s time for enterprises to step up their game.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: