The notorious TrickBot malware is targeting customers of 60 financial and technology companies, including cryptocurrency firms, primarily located in the U.S., even as its operators have updated the botnet with new anti-analysis features.
“TrickBot is a sophisticated and versatile malware with more than 20 modules that can be downloaded and executed on demand,” Check Point researchers Aliaksandr Trafimchuk and Raman Ladutska said in a report published today.
In addition to being both prevalent and persistent, TrickBot has continually evolved its tactics to go past security and detection layers. To that end, the malware’s “injectDll” web-injects module, which is responsible for stealing banking and credential data, leverages anti-deobfuscation techniques to crash the web page and thwart attempts to scrutinize the source code.
Also put in place are anti-analysis guardrails to prevent security researchers from sending automated requests to command-and-control (C2) servers to retrieve fresh web injects.
Another of TrickBot’s key strengths is its ability to propagate itself, which it achieves by using the “tabDLL” module to steal the users’ credentials and spread the malware via SMBv1 network share using the EternalRomance exploit. Read more:https://cutt.ly/iPkPUoi