TrickBot may have compromised 250 million email addresses, says Deep Instinct report
Milltrust CerraCap investee company Deep Instinct, a cybersecurity company, has revealed that the TrickBot malware has returned with a new variant called TrickBooster, which may have already compromised 250 million email addresses, including those of several UK government agencies.
Deep Instinct, a cybersecurity company, has revealed that the TrickBot malware has returned with a new variant called TrickBooster, which may have already compromised 250 million email addresses, including those of several UK government agencies.
The new TrickBot variant is likely to have hit the UK Foreign and Commonwealth Office, the UK Ministry of Defence, the UK Public Health Office apart from several UK County Councils, found the report from Deep Instinct.
Discovered about three years ago, the TrickBot malware, which focused on financial data theft initially, is now a strong, elaborate and sophisticated threat that is multi-purposed for various forms of malicious activity, said the company.
Deep Instinct revealed that recent data from a currently active and ongoing TrickBot campaign, which extensively uses signed malware binaries, suggests that the malware has returned with the new variant.
In addition to its recently added cookie-stealing module, the malware family has come up with a malicious email-based infection and distribution module that shares its code signing certificates.
The email-based TrickBooster module collects email credentials and contacts from the Address Book, Inbox and Outbox of victims. After this, it sends out malicious spam emails from the compromised victim’s account, and eventually deletes the sent messages from the Outbox as well as the Trash folder, so that the user is not aware of its activity.
In a statement, Deep Instinct said: “During our investigation of this new module and the network infrastructure associated with it, we were able to access infection servers from which the malware is downloaded onto victim machines, as well as command and control servers.
“We managed to recover a data base containing 250 million e-mail accounts harvested by TrickBot operators, which most likely were also employed as lists of targets for malicious delivery and infection. The data base includes millions of addresses from government departments and agencies in the US and the UK.”
According to Deep Instinct, the first stage of the malware infection begins when the infected victim machine gets instruction from TrickBot command and control to download TrickBooster, which is signed with a valid certificate. After getting downloaded and installed, TrickBooster reports back to a dedicated command and control server, sending lists of collected email credentials and addresses.
In the third stage, its command and control server instructs the bot to send malicious spam emails and in the fourth stage, malicious infection and spam emails are sent out by the TrickBooster bot.