TrickBot is a module-based malware that can extend its capabilities by downloading new modules from its command-and-control (C&C) server and executing them on its victim's device. While it was initially identified as a banking Trojan, it has gradually extended its reach to collect credentials from its victims' email accounts, browsers, installed network apps, and so on. It can also send spam to its victim's email contacts as well as deliver other malware to the victim's device, such as Emotet.
TrickBot is considered one of the world's largest botnets that had infected more than 1 million computers, including many Internet-of-Things (IoT) devices. Last week, multiple cybersecurity firms led by Microsoft orchestrated a global takedown against TrickBot. Even though they were capable of taking down 94% of TrickBot's infrastructure, the botnet is still alive. It looks like the botnet authors use hacked MikroTik routers instead of the actual C&C servers to keep the botnet alive and push new server lists to the infected hosts. According to cyber intelligence reseachers, the remaining C&C servers are in Brazil, Colombia, Indonesia, and Kyrgyzstan.
As always, a robust cooperative cyber security fabric that enables you to virtually patch vulnerable systems using intrusion prevention system (IPS) signatures along with endpoint detection measures provides malware protection across the organization. Appropriate network segmentation to prevent threat propagation is also key to securing your organization. Check out our latest white papers on how to secure your organization without compromising performance.
Tongda.Office.Anywhere.gateway.php.handling.Path.Traversal – CVE-2019-9759 indicates an attack attempt to exploit a Directory Traversal Vulnerability in Tongda Office Anywhere. This vulnerability is due to improper handling of the request parameters in the vulnerable application. A remote attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted server. Successful exploitation of the vulnerability could lead to disclosure of sensitive information or remote code execution which may be used to facilitate further exploitation.
Ryuk Ransomware – According to Global Threat Landscape Report 2020 there has been an increased amount of ransomware attacks. Ryuk is a well-known ransomware variant and has been used in targeting large organizations. It is thought to be tailored by each attacker to the victim organization's unique configurations and network designs. Different versions have been reviewed in the past. However, due to its targeted and ever-evolving nature, it is interesting to see the latest variants in store. Security researchers took a look at the latest encryption and evasion techniques. According to a supervisory special agent from the FBI, the Ryuk ransomware generated over $61 million so far.
Windows malware 'GravityRAT' now a threat to Android and macOS users too – The GravityRAT malware, previously known only to infect Windows computers, enables attackers to retrieve sensitive hardware information about a system, search for files on a device, log victim keystrokes, take screenshots, execute shell commands, and get a list of running processes. According to Kaspersky's new report, the GravityRAT malware has recently been overhauled to infect both Android and macOS devices. This Android variant of the malware can steal user data, including email addresses, SMS messages, call logs, contact lists, and documents. The discovery was made when researchers observed a piece of malicious code inserted in an Android travel application for Indian users. Researchers then discovered many more legitimate-looking applications containing this malware, including those masquerading as secure file-sharing applications or media players. The threat actors also used digital signatures to make the applications look legitimate and avoid detection by basic scanners. The links to download these malicious applications are sent to targeted individuals through social media, and once the application is installed, the malware receives commands from the C2 server.
Our Research & Insights:
Whitepaper: Effective Cyber Security Strategies during the Covid-19 Pandemic
Whitepaper: The Essential Guide to Securing Remote Access
Secure Devops: Learn how to make security integral into your DevOps process.
E-Book: Effective Security Strategies for Devops & Application Services
E-Book: How to Build a Next Generation Security Operations Center