Check Point Research (CPR) has discovered new and complex details about its development Trickbot.
The well-known bank Trojan steals and exposes its victims' data, targeting high-profile victims. CPR has recorded more than 140.000 machines infected with Trickbot since November 2020, many of which are customers of well-known companies such as Amazon, Microsoft, Google and PayPal. In total, CPR recorded 60 companies whose customers fell victim to it during the past 14 months.
1 Chart. Companies whose customers are the target of Trickbot
Basic details of implementing Trickbot
Malware is very selective in the way it chooses its targets
- Various tricks - including anti-analysis and anti-Deobfuscation - applied inside the modules demonstrate the high technical background of its creators
– Its infrastructure can be used by various malware families to cause larger damage on the infected computers
- Sophisticated and flexible malware with more than 20 modules that can be downloaded and run to order
How Trickbot works:
1. Offenders receive a base δεδομένων με κλεμμένα emails και στέλνουν κακόβουλα έγγραφα στις επιλεγμένες διευθύνσεις.
2. The user downloads and opens such a document, allowing macros to be executed during the process
3. The first stage of the malware is executed and the main load of the Trickbot is downloaded.
4. The main load of the Trickbot is executed and it establishes its stay in the infected machine.
5. Trickbot auxiliary modules can be downloaded to the infected machine to order from the threat carriers, the functionality of these modules can vary: it can spread through corrupt corporate network, steal corporate credentials, snatch bank links. λπ.
Impact
The following is a map of the percentage of organisms affected by Trickbot in each country according to CPR telemetry data:
2 Chart. Percentage of organisms affected by Trickbot (the darker the color - the greater the impact)
The following is a table showing the percentage of organisms affected by Trickbot in each area:
Area |
Affected organizations |
Rate |
Global |
1 on 45 |
2.2% |
APAC |
1 in 30 |
3.3% |
Latin America |
1 in 47 |
2.1% |
Europe |
1 in 54 |
1.9% |
Africa |
1 in 57 |
1.8% |
North America |
1 in 69 |
1.4% |
Comment by Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software Technologies,
"Trickbot's numbers are shocking. We have recorded over 140.000 machines targeting customers of some of the largest and most trusted companies in the world. We continue to observe that the creators of Trickbot have the ability to approach the development of malware from a very low level and to pay attention to small details. Trickbot attacks high-profile victims to steal credentials and give operators access to gateways with sensitive data, where they can do even more damage. At the same time, we know that the operators behind the application also have extensive experience in developing high-level malware. The combination of these two factors is what allows Trickbot to remain a dangerous threat here for more than 5 years. "I urge users to open documents only from trusted sources and use different passwords on different sites on the Internet."
Security tips
1. Only open documents that you receive from trusted sources. Do not enable macro execution in documents.
2. Make sure you have the latest operating system and anti-virus updates.
3. Use different passwords on different websites.
Annex - The list of target companies | |
Company | Field |
Amazon | E-commerce |
American Express | Credit Card Service |
AmeriTrade | Financial Services |
AOL | Online service provider |
Associated Banc Corp. | Bank Holding |
BancorpSouth | Banks |
Bank of Montreal | Investment banking |
Barclays Bank Delaware | Banks |
Blockchain.com | Cryptocurrency Financial Services |
Canadian Imperial Bank of Commerce | Financial Services |
Capital One | Bank Holding |
Card Center Direct | Digital Banking |
Centennial Bank | Bank Holding |
Chase | consumer banking |
Citi | Financial Services |
Citibank | Digital Banking |
Citizens Financial Group | Banks |
Coamerica | Financial Services |
Columbia Bank | Banks |
Desjardins Group | Financial Services |
e-trade | Financial Services |
Fidelity | Financial Services |
Fifth Third | Banks |
FundsXpress | IT service management |
Technology | |
GoToMyCard | Financial Services |
Hawaii USA Federal Credit Union | Credit Union |
Huntington bancshares | Bank Holding |
Huntington bank | Bank Holding |
interactive Brokers | Financial Services |
JPMorgan Chase | Investment banking |
Keybank | Banks |
LexisNexis | data mining |
M&T Bank | Banks |
Microsoft | Technology |
Federal Navy | Credit Union |
paypal | financial technology |
PNC Bank | Banks |
RBCBank | Banks |
Robinhood | Stock Trading |
Royal Bank of Canada | Financial Services |
Schwab | Financial Services |
Scotiabank Canada | Banks |
SunTrust Bank | Bank Holding |
Synchrony | Financial Services |
Synovus | Financial Services |
T Rowe Price | Investment Management |
TD Bank | Banks |
TD Commercial Banking | Financial Services |
TIAA | Insurance |
Truist financial | Bank Holding |
US Bancorp | Bank Holding |
Unionbank | commercial banking |
USAA | Financial Services |
Vanguard | Investment Management |
Wells Fargo | Financial Services |
Yahoo | Technology |
ZoomInfo | Software as a service |