The Trickbot malware, which was allegedly liquidated in October 2020 by a Microsoft-led coalition, is back as one of the most frequent threats in the world, although it is not prevalent in Brazil. And in the opinion of specialist and malware hunter Fábio Assolini, senior security analyst at Kaspersky in Brazil, it won’t be easy to put an end to him. The main reason for this is that this malware is not operated by just one person or a group, but by many people, as “malware as a service” explains Assolini: “There are several operators, with different ‘builds’, so when a group or cell is arrested, at some point others will continue to spread the malware.” The takedown of command and control servers in October was a very important operation, notes the Kaspersky analyst, but he already knew that the problem would not end there: “The entire operation, including the police forces, like this one, is very- coming because an infrastructure used by these criminals is dismantled”.
But that does not end the problem, warns Assolini, because although the coalition has obtained and retained the domains used by criminals, because “others take action, hire other infrastructure and continue the attacks”. Trickbot operations have become attractive, among other things, because they have migrated from traditional attacks on internet banking credentials to theft of credentials to access networks and servers, and later sale of those credentials to ransomware operators, details the analyst from Kaspersky: “In the beginning they were specialized in internet bankink attacks, but not anymore.
They specialize in selling access to ransomware operators as Trickbot operates as a backdoor into the machine.” Brazil is under attack from this malware, although it is not the most attacked country in the world, notes Assolini. According to Kaspersky statistics, the five most attacked countries in the last 12 months are, in order, Iran, China, Costa Rica, Saudi Arabia and Brazil (with 8% of detections).
What makes Trickbot particularly dangerous is the fact that it’s constantly evolving, constantly changing, says Assolini: “The ‘flavors’ of Trickbot we’ve encountered are many. They are malware as a service and there are many groups working on them.” There are many builds because of this, but Assolini finds it very difficult to quantify them: “There is even the concept of ‘exclusive build’ among them. As they work like malware as a service, they have the ‘packages’ there to be sold. Anyone who wants to spend less buys a builder that is not exclusive, that has already been sold to several groups, and the malware it will generate already has a high detection rate by security products, therefore, it is less effective. Those who want a better product will pay more – they are exclusive builders, sold only to that person, and in some cases improvements and support are offered for a while”.
Exclusive builders are more expensive because they give developers more work, explains Assolini: “Some are FUD, which means ‘fully undetectable’, they ensure that the malware the builder will generate will not be detected by security solutions.” Exclusive builders are rarely found online, notes the analyst: they are usually found on machines owned by groups discovered by the police.
What is TrickBot – TrickBot is a financial trojan first discovered in 2016 and initially focused on clients of major banks in the UK, USA, Australia and some other countries in the northern hemisphere. It is known for its high ability to mimic banking application screens and steal personal information such as logins and passwords. For this he uses the post-exploration tool Mimikatz, but he currently uses many other tools. It is also capable of stealing information from Bitcoin wallets, gaining access to email accounts and stealing network or system data to move sideways. After that, he manages to get the compromised system to send emails. In June 2021 Trickbot completed two months at the top of Check Point Research’s global threat index.