Financial gain drives cyberthieves to find new ways to infiltrate networks. So, it shouldn’t be surprising banks are a primary target.
Hackers use TrickBot banking trojans to penetrate networks and attempt to steal money or cryptocurrency by gaining access to organizations’ or individuals’ passwords and accounts. The malware is delivered through phishing emails and quickly spreads to other devices.
TrickBot targets Windows machines and has been wreaking havoc since 2016. It evolved from Dyreza, an online banking trojan first acknowledged in September 2014. Dyreza infected hundreds of thousands of computers and more than 1,000 financial institutions before it was eradicated by Russian police in 2015.
Endpoint users are blind to TrickBot symptoms, but a network administrator would notice deviations in traffic and visits to blacklisted IPs and domains. The malware communicates with TrickBot’s command-and-control infrastructure to steal data and receive tasks. Spam campaigns are most common vehicles to spread the virus.
TrickBot continues to develop since its inception. Originally weaponized as a banking trojan, it’s capable of downloading malware families on compromised machines, and stealing virtual network computer, PuTTY and remote-desktop-protocol credentials. It’s also known as Trickster, TheTrick and TrickLoader.
It utilizes the EternalBlue vulnerability – the same used by WannaCry to gain access to computers – to spread through networks. Infected machines can re-infect ones that had been cleaned when they rejoin the system. This forces IT professionals to isolate, patch and remediate each infected computer one at a time.
Here are steps to protect networks and computers from TrickBot:
- Ensure every workstation on the network has working and updated antivirus software
- Follow best-practice settings by using multiple layers of protection techniques
- Patch computers against EternalBlue exploit
Organizations have felt the wrath of TrickBot, including an Ohio school district. Coventry Local Schools fell victim to a TrickBot attack and was forced to cancel classes May 20. The school district noticed the issue on a small number of machines May 17 before it had spread throughout the network. The attack affected phones, heating and air conditioning, security and building access.
Howard County, Fla., suffered a TrickBot attack in April. The virus failed to breach the county’s financial and banking records, but the malware forced it to disconnect Wi-Fi and use paper and pen to take care of government procedures.
Not even the Internal Revenue Service is immune to a TrickBot attack. The government agency reported that cyberthieves plundered more than $1.6 million in fraudulent returns during the 2016 tax year.
Phishing was the preferred weapon used in these strikes. IBM global executive security advisor Limor Kessem expounded the importance of online awareness in a Techcrunch.com article in April.
“As cybercriminal gangs of this level continue to gain steam, it’s increasingly important for businesses and consumers to be more aware of their activity online, even when they’re doing something as simple as clicking on a link in an email,” she said. “Email is an incredibly easy way for an attacker to interact with potential victims, posing as a trusted brand to infiltrate devices and eventually your networks.”
Business leaders would be wise to listen to Kessem’s advice and embrace user-awareness training to avoid setbacks rather than regret being fooled by a trickster.
To discuss security strategy, contact Security Analyst Frank Verdecchia at firstname.lastname@example.org.