What does the malware do and how can you protect yourself?

As previously reported, cybercriminals are increasingly using the Corona pandemic as a trigger for their attacks. Recently, Microsoft analyzed that TrickBot is one of the most productive malware sent to Microsoft 365 users via email. As part of a recent campaign, a large number of emails were sent on behalf of a non-existent charity organization that allegedly offers free Covid 19 testing – the attachment included an order form contaminated with the malware TrickBot.

Hornetsecurity therefore explains on this occasion how TrickBot attacks behave and how to protect against them. 

What is TrickBot?

TrickBot is a modular malicious program that was originally used as an online banking Trojan, but has now developed into a universal attack tool. In addition to a component for online banking fraud, the inventory includes modules for spying out access data from web browsers, email programs and other applications.
In most cases, the malware strikes via an infected email attachment and is infiltrated via Emotet. Once the document is opened, the core component of TrickBot is activated: the loader. This initially disables the Windows services and running processes of Windows Defender and various other antivirus programs.
In the next step, TrickBot tries to obtain administrative rights so that all subsequently loaded modules can be executed with high rights, for example to read the access data stored in the Local Security Authority (LSA).
TrickBot then spies out information about the system and the network depending on the module loaded. All collected data is transmitted by the malware to the cybercriminals, who can now analyze whether further actions are worthwhile.
At the same time, thanks to the access data spied out of the LSA, TrickBot automatically spreads throughout the network.

TrickBot often appears in a particularly dangerous malware combination with Emotet and Ryuk, which aims to encrypt all sensitive files in the system and only releases them again in exchange for ransom payments.

What is happening in the current Coronavirus campaign?

Both Microsoft and the Hornetsecurity Security Lab have observed that Microsoft 365 mailboxes are increasingly the target of corona-related cyber attacks. An analysis now shows that TrickBot is proving to be particularly productive in this context: A current email campaign in the name of a fictitious aid organisation promises free Covid 19 tests. Recipients would only have to request them via an attached document.
If the file is opened, the malware is executed. The macro waits 20 seconds before reloading its malicious modules in order not to become conspicuous in sandbox analyses.

Depending on how lucrative the target hit is evaluated by TrickBot’s analysis, other malicious components such as Ryuk can be downloaded to encrypt sensitive data.

Why are Microsoft 365 mailboxes a popular target?

The number of users of Microsoft 365 is growing rapidly – due to the current situation it can also be assumed that the growth will accelerate once again, as many companies are equipping their home office employees with Microsoft’s cloud-based services. However, Microsoft 365 is also becoming a popular target for cybercriminals due to the increasing number of users. In 2019 alone, the number of attacks on users’ email accounts quadrupled.

The problem is that Microsoft 365 users are easy to identify because the MX records and autodiscover records are publicly available on the net. Users must trust Microsoft’s security mechanisms, but if an attacker gains access to a Microsoft 365 account, all data is available to him without restriction. If an administrator account is even taken over, the attacker can even obtain data from all users in the company.

How can you protect yourself against a TrickBot infection?

The described TrickBot attack does not only affect Microsoft 365 mailboxes, but is widely spread to potentially lucrative targets and is representative for a multitude of attacks that act according to a similar pattern. Now the question arises: How can you protect yourself against such methods?
The most important thing is that the harmful emails are intercepted by advanced spam and malware filters. Incoming emails must pass through several filter stages before they are either recognized as correct and delivered to the customer’s mail server or end up in quarantine.
In addition, it should be ensured that passwords are only stored in a password manager, because TrickBot steals passwords that are stored directly in applications such as the web browser. It is also recommended to use two-factor authentication for services that offer this feature. Because if passwords are stolen, cyber criminals cannot do anything with the information.
Likewise, the restriction of access rights in the network minimizes the risk of further propagation.
Microsoft 365 users should also be aware of this: In order to reduce the probability of being targeted by such attacks, it makes sense to secure Microsoft 365 accounts with an additional third-party solution in addition to the Microsoft protection mechanisms. Specialized providers hide the Microsoft DNS and MX records, making Microsoft 365 users very difficult for attackers to identify.
Some vendors even enable full encryption of the mailbox data stored in the cloud, protecting it from spying even if the account hijacking is successful.