Stealthy TrickBot Malware Has Compromised 250 Million Email Accounts And Is Still Going Strong
Getty
Researchers at DeepInstinct have been tracking TrickBot activity. In recent years they've seen the malware evolve and add new capabilities that have made it even more dangerous.
One of those additions is something DeepInstinct refers to as TrickBooster. Its job: to send spam emails from infected computers in order to increase the spread of TrickBot infections.
At its core, TrickBot is a banking Trojan. The malware is typically distributed via spearphishing emails -- like bogus resumes sent to human resources or invoices sent to accounts staff. Those are typically attached in the form of weaponized Microsoft Word or Excel files.
TrickBot can spread through an organization a few different ways. One way is by exploiting vulnerabilities in SMB, a protocol that allows Windows computers to easily share and access files and folders on other systems on the same network.
Malware that spreads via SMB can quickly propagate throughout an org where hardware and software configurations tend to be fairly homogeneous. That uniformity tends to lead to large numbers of computers that are vulnerable to the same exploits, which makes it much easier for malware like TrickBot to spread.
A Nasty "Plan B"
TrickBooster gives TrickBot a second highly-effective way to spread infection. By sending emails from trusted addresses within an organization TrickBot increases the odds that a would-be victim will open one of its trojanized attachments.
It seems to be working, too. DeepInstinct managed to sneak a peek at a database connected to TrickBot operations. The company's researchers discovered a trove of nearly 250 million email addresses that had been harvested by the TrickBot campaign.
Alarmingly, DeepInstinct noted that those addresses don't appear to come from previously-known breaches. They seem to be a fresh batch.
Among them at more than 25 million from Gmail, 21 million from Yahoo!, and 11 million from Hotmail. Another 10 million belong to AOL and MSN users. While those six consumer-focused services account for 70 million or so of the total entries in the database, DeepInstinct also spotted scores of addresses belonging to government workers.
U.S.-based accounts caught up in TrickBot's web include staff from the Department of Justice, Department of State, Homeland Security, the Postal Service, as well as the FAA, ATF, IRS and NASA. Email accounts belonging to numerous Canadian and British agencies were also found in the database.
">
A strain of malware known as TrickBot has been infecting victims since 2016. It's still going strong today -- in fact many in the cybersecurity world consider it the top threat targeting businesses right now. Experts believe that TrickBot may have compromised upwards of 250 million email accounts so far.
Researchers at DeepInstinct have been tracking TrickBot activity. In recent years they've seen the malware evolve and add new capabilities that have made it even more dangerous.
One of those additions is something DeepInstinct refers to as TrickBooster. Its job: to send spam emails from infected computers in order to increase the spread of TrickBot infections.
At its core, TrickBot is a banking Trojan. The malware is typically distributed via spearphishing emails -- like bogus resumes sent to human resources or invoices sent to accounts staff. Those are typically attached in the form of weaponized Microsoft Word or Excel files.
TrickBot can spread through an organization a few different ways. One way is by exploiting vulnerabilities in SMB, a protocol that allows Windows computers to easily share and access files and folders on other systems on the same network.
Malware that spreads via SMB can quickly propagate throughout an org where hardware and software configurations tend to be fairly homogeneous. That uniformity tends to lead to large numbers of computers that are vulnerable to the same exploits, which makes it much easier for malware like TrickBot to spread.
A Nasty "Plan B"
TrickBooster gives TrickBot a second highly-effective way to spread infection. By sending emails from trusted addresses within an organization TrickBot increases the odds that a would-be victim will open one of its trojanized attachments.
It seems to be working, too. DeepInstinct managed to sneak a peek at a database connected to TrickBot operations. The company's researchers discovered a trove of nearly 250 million email addresses that had been harvested by the TrickBot campaign.
Alarmingly, DeepInstinct noted that those addresses don't appear to come from previously-known breaches. They seem to be a fresh batch.
Among them at more than 25 million from Gmail, 21 million from Yahoo!, and 11 million from Hotmail. Another 10 million belong to AOL and MSN users. While those six consumer-focused services account for 70 million or so of the total entries in the database, DeepInstinct also spotted scores of addresses belonging to government workers.
U.S.-based accounts caught up in TrickBot's web include staff from the Department of Justice, Department of State, Homeland Security, the Postal Service, as well as the FAA, ATF, IRS and NASA. Email accounts belonging to numerous Canadian and British agencies were also found in the database.
Gloss