Post-Takedown Trickbot Activity

Post-Takedown Trickbot Activity

On 25 April, Infoblox observed a phishing campaign that used a DocuSign lure and a malicious file attachment to infect victims with the Trickbot banking trojan. Although Microsoft and other organizations disrupted the Trickbot botnet in October 2020,1 multiple sources have seen activity from the botnet since then.2

We have published several reports on Trickbot, including a Malicious Activity Report (MAR)3 and Cyber Campaign Briefs (CCBs).4,5

Trickbot was first discovered in 2016 and has since grown in popularity.6,7,8 Trickbot infects victims, steals sensitive financial information and exfiltrates it to its command and control (C&C) server. It can also move laterally within a network by brute-forcing Remote Desktop Protocol (RDP) credentials.

Threat actors favor Trickbot due to its modular nature, which facilitates customization and provides attackers the capability to drop additional malware on infected systems.

In this campaign, threat actors sent emails with a subject line of “Please Docusign.” and a malicious Microsoft Excel Spreadsheet file attachment. Messages prompted the victim to open the file attachment to start the signing process.

Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.

Cyber Intel Unit

With 10 years of experience, the Infoblox Cyber Intelligence Unit creates, aggregates and curates information on threats to provide actionable intelligence that is high quality, timely and reliable. Threat information from Infoblox minimizes false positives, so you can be confident in what you are blocking, while ensuring unified security policy across the entire security infrastructure.

This content was originally published here.

Laat een reactie achter

Het e-mailadres wordt niet gepubliceerd.