TrickBot returns with campaign against legal and insurance firms

Despite the security industry’s efforts to disrupt the TrickBot botnet, its operators are trying to revive it with new infection campaigns. The latest one, observed by researchers this month, targeted legal and insurance companies.

“In the most recent campaign we observed across our global Menlo Security cloud platform, we noticed the attackers used an interesting lure to get users to click and install the Trickbot malware on the endpoint,” security firm Menlo Security said in a report Friday. “This ongoing campaign that we identified exclusively targeted legal and insurance verticals in North America.”

TrickBot background

TrickBot has been plaguing companies and consumers since 2016, infecting over a million computers. In recent years it has come often into the spotlight because of its association with Ryuk, a highly sophisticated ransomware operation that has hit many organizations around the world.

TrickBot started out as a banking Trojan but evolved into a crimeware platform through which its operators sold access to infected computers to other hacker groups who wanted to distribute their own malware. One of those groups, and probably TrickBot’s biggest customer, is the gang behind Ryuk, which is why Ryuk infections are often preceded by a TrickBot infection.

In October, Microsoft used legal action to seize many of the domain names that were used to operate TrickBot command-and-control servers and then worked with other security vendors and ISPs to take control of them. By early November, no TrickBot command-and-control servers were still active, but researchers warned these attackers were resourceful and might try to rebuild the botnet.

The latest Trickbot campaign

The campaign detected by Menlo involved spam emails with a malicious URL that, if clicked, took users through a series of redirects to a page that posed as an automated notification for negligent driving. The page had a button to download the alleged photographic evidence, but in turn downloaded a zip archive with a malicious JavaScript file inside.