What is the Issue:
A new Trickbot iteration features a sneaky method of performing process-hollowing using direct system calls, anti-analysis techniques and the disabling of security tools. Process-hollowing is a technique used by malware in which a legitimate process is loaded on the system solely to act as container for hostile code.
Why is this noteworthy:
The malware has started targeting U.S. banks in new spam campaigns fueled by botnets. The malware, first discovered in 2016, targets customers of major banks. According to a blog post by researchers at Webroot, the updated Trickbot has “continually undergone updates and changes in attempts to stay one step ahead of defenders.”
What is the exposure or risk:
Trickbot has made its mark as a trojan responsible for man-in-the-browser attacks since mid-2016. It includes modules for stealing data from browsers and Microsoft Outlook, locking the victim’s computer, system and network information gathering, and stealing domain credentials. It also targets victims for other malicious activities, such as cryptocurrency mining. The latest variant of Trickbot is spreading via a widespread spam campaign, which uses malicious Word documents that include a macro code with a twist. The Cyberbit researchers first discovered the campaign last month targeting victims in the U.S. and Spain.
What are the recommendations:
Be extra vigilant to downloads and background processes running on your PC. We recommend following best practices in protecting your company’s information and information systems, which includes following your policies and procedures for system updating and patching, system hardening, and regular scanning to detect vulnerabilities and indicators of compromise. Click with caution when enabling content in the execution of macros.
If you have any questions, please contact our Security Intelligence Center.