Trickbot banking Trojan develops new techniques
Since it first reared its ugly head five years ago, the notorious Trickbot banking Trojan has evolved as bad actors came up with a more advanced toolset.
Once a tool for online banking data theft, it has evolved and become a multi-modular malware ranging its activity from data theft to other malware distribution, including ransomware.
Kaspersky researchers have traced Trickbot’s evolution by analysing its 61 existing modules and defined how Trickbot has been updated.
Overall, researchers have analysed 61 modules of the Trojan and discovered it has acquired dozens of auxiliary modules that steal credentials and sensitive information.
It spreads over local networks using stolen credentials and vulnerabilities, provides remote access, proxy network traffic, performs brute-force attacks and downloads other malware.
Trickbot targets companies and individual users across the globe. While its activity is not geographically limited, most of the affected users were located in the US (13.21%), Australia (10.25%) and China (9.77%), followed by Mexico (6.61%) and France (6.30%).
Oleg Kupreev, a security expert at Kaspersky, says attackers continually update and refresh their toolsets.
“Right now, Trickbot has developed and become one of the most powerful and dangerous samples of its malware type. As cyber criminals evolve, so should protection techniques. Most of the attacks can be prevented, that is why it is important to have an up-to-date security solution,” he adds.
To stay safe from Trojans and other financial threats, Kaspersky recommends that users not follow links in spam messages nor open documents attached to them, and only use online banking with multi-factor authentication solutions.
In addition, the security giant advises to ensure all software is updated – including the operating system and all software applications, as attackers often exploit loopholes in widely used programs to gain access.
Finally, the company says to use a trusted security solution that can help to check the security of the URL being visited and open any site in a protected container to prevent theft of sensitive data.