The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are urging organizations to guard against TrickBot malware spear-phishing campaigns. CISA previously issued a TrickBot warning last year.
Cybercrime actors are using TrickBot spear-phishing campaigns to launch attacks against organizations across North America, CISA stated in a security alert. These actors are using a traffic infringement phishing scheme to lure victims into downloading TrickBot, so they can perform a variety of illegal cyber activities.
What Is TrickBot?
TrickBot is an advanced Trojan used primarily in spear-phishing campaigns, CISA noted. It was first identified in 2016 and originally used as a banking Trojan to steal financial data. Since its inception, cybercriminals have been increasingly using TrickBot to launch modular, multi-stage spear-phishing campaigns.
CISA and FBI recently discovered TrickBot attacks that use phishing emails claiming to contain proof of a traffic violation to steal victims' sensitive information. These emails contain links that redirect a victim to a website hosted on a compromised server that prompts him or her to click on a photo that provides proof of their traffic violation. If a victim clicks on the photo, he or she unknowingly downloads a malicious JavaScript file that can communicate with a malicious actor's command and control server to download TrickBot to the victim's system.
How Can Organizations Guard Against TrickBot Malware Attacks?
CISA and FBI offer several recommendations to help organizations guard against TrickBot attacks, including:
- Block any suspicious IP addresses
- Implement email gateway filters
- Use antivirus software
- Segment and separate networks and functions
- Leverage multi-factor authentication (MFA)
- Monitor web traffic
- Restrict user access to risky websites
Organizations also can provide social engineering and phishing training to employees. In doing so, they can ensure their workers are well-equipped to identify malware and other cyber threats before they cause severe damage.