santiago silver - Fotolia

After Emotet takedown, Trickbot roars up threat charts

Malicious actors are turning to new tricks as Emotet fades away

The end of the Emotet botnet has shaken up the cyber criminal underground, with malicious actors turning to other means to distribute malware and ransomware, according to Check Point’s latest monthly threat charts.

In the past few weeks, the firm reported in its February Global Threat Index, many groups have turned to Trickbot – the fourth most prevalent malware of 2020, impacting 8% of global organisations and playing a key role in the distribution of the Ryuk ransomware, among others.

Trickbot has now topped the index as the most prevalent threat, said Check Point, following a sustained phishing distribution campaign that targeted organisations in the legal and insurance sectors with malicious JavaScript files hidden in .zip archives.

Like Emotet, a banking trojan-turned-botnet, Trickbot is constantly updated with new capabilities and features and, as such, has become an easily used, flexible and customisable malware that can be distributed as part of many different campaigns.

“Criminals will continue using the existing threats and tools they have available, and Trickbot is popular because of its versatility and its track record of success in previous attacks,” said Maya Horowitz, director of threat intelligence and research at Check Point.

“As we suspected, even when a major threat is removed, there are many others that continue to pose a high risk on networks worldwide, so organisations must ensure they have robust security systems in place to prevent their networks being compromised and minimise risks.

“Comprehensive training for all employees is crucial, so they are equipped with the skills needed to identify the types of malicious emails which spread Trickbot and other malware.”

Trickbot is thought to have impacted 3% of organisations globally during February, followed closely by XMRig and Qbot, with similar numbers of victims. XMRig is an open-source CPU mining malware used by malicious actors to exploit victim systems to mine the monero cryptocurrency, while Qbot is a veteran banking trojan dating back to the late 2000s, which is designed to steal banking credentials and keystrokes.

The top exploited vulnerabilities of the past month – and note that Check Point’s data relates to the period immediately before the disclosure of the Microsoft Exchange ProxyLogon vulnerabilities – were an information disclosure vulnerability reported in Git Repository, which impacted 48% of organisations globally; followed by CVE-2020-13756, an HTTP headers remote code execution (RCE) bug, impacting 46% of organisations; and an MVPower DVR RCE vulnerability, with a global impact of 45%, according to Check Point’s telemetry.

The top mobile malwares seen in the past month were Hiddad, an Android malware that repackages legitimate apps through a third-party store, which mainly just displays ads but can also gain access to key security details in the device OS; xHelper, a malicious app that serves as a delivery mechanism for other malwares, and also acts as an intrusive ad display; and FurBall, a mobile remote access trojan (MRAT) linked to an Iranian APT, which can steal SMS messages, call logs, record surroundings and calls, steal media files, and track device location.

Read more about Trickbot

  • A court order allowed Microsoft and several partners to take down the Trickbot botnet, which is commonly used to deploy ransomware, but it is unclear how long the impact will last.
  • Global, Microsoft-led effort to disrupt the Trickbot botnet has seen some success, but new command and control servers continue to pop up.

Next Steps

Slilpp marketplace goes dark following government takedown

Trickbot has infected 140,000-plus machines since late 2020

Read more on Hackers and cybercrime prevention

Data Center
Data Management