Is It Impossible To Take Down TrickBot Permanently?
TrickBot, which is a prominent favorite tool for cybercrime groups, is a known banking Trojan that targets consumers as well as businesses for their valuable data such as account credentials, banking details, or PII (personal identifiable information), also capable of adapting environments and networks that it targets.
TrickBot faced a takedown in November 2020, by law enforcement agencies and security vendors. However, the takedown was later proved to be not as effective as it should have been. Since the takedown, this TrickBot malware has been noticed to be coming back to life and the operators behind the malware were found to be releasing upgraded versions in regular intervals of time.
Recently, a new and more efficient version of the malware has been released, which has been detailed by the cybersecurity organization, SecurityIntelligence. The takedown of malware in November 2020, was thought to serve as a relief in the digital/cyber world but has resulted in an opposite manner.
It seems that the takedown (to be seen as a break) has given the malware and its operators a kick start. This most recent and upgraded version of the malware has been studied by the researchers of the IBM Trusteer. Researchers examined its components and have released a report (non-publicly).
The latest version of the malware has been back numbered as version 100003 unlike the previous versions numbered as 1000512 and 1000513, by its operators. Malware at its latest stage has been incorporated with many enhancements such as a creative mutex naming algorithm and an updated persistence mechanism.
It hasn’t been changed completely and has some same old functionalities like it has the same process hollowing injection code tactic, same compromise checks, and also the same bot configuration scheme with task name modification but with a random change.
This malware has somehow managed to survive and remain to update constantly. One instance to explain its evolution can be, around December 2020, the malware was noticed to have a functionality, made especially to examine the BIOS/UEFI firmware of the infected/targeted device.
In the same month, the Subway marketing system of the UK was hijacked to spread phishing emails containing TrickBot v100 (aka TrickBot-Iaden). The malware has remained successful since it gained a kick-start.
It can be concluded that operators behind the malware are working to their full potential which may lead to more and new targeted attacks. It has been suggested for everyone, including organizations and individuals to stay alert and be extra careful against threats posed by the TrickBot Malware.