The infamous Trickbot Trojan has targeted customers of scores of big-name brands over the past year, including Amazon, PayPal and Microsoft, according to new data from Check Point.
The security vendor claimed that the malware had infected at least 140,000 victims since November 2020, with attackers being careful to target high-profile victims.
Among the 60 brands that had customers targeted in this campaign were also Bank of America, American Express, and Wells Fargo.
APAC was the most affected region over the 14-month period, with an estimated 3.3% of organizations impacted. Next came Latin America (2.1%), Europe (1.9%), Africa (1.8%) and North America (1.4%).
Attacks typically begin with phishing emails, including malicious macros.
Although it began life as a banking Trojan, Trickbot steadily grew in sophistication over the years and now features 20 modules that can be executed on-demand to steal data and launch additional malware.
The malware has remained stubbornly persistent by using a decentralized architecture, choosing targets selectively and deploying anti-analysis techniques.
Check Point’s research analyzed three modules: a web-inject function designed to steal banking and credential data; a tabDLL module that steals credentials to spread malware via network shares; and pwgrabc, which steals credentials from a range of apps, including the world’s most popular browsers.
“Trickbot attacks high-profile victims to steal credentials and provide its operators access to the portals with sensitive data where they can cause even more damage. At the same time, we know that the operators behind the infrastructure are very experienced with malware development at a high-level,” explained Check Point cybersecurity research and innovation manager Alexander Chailytko.
“The combination of these two factors is what allows Trickbot to remain a dangerous threat for more than five years already. I strongly urge people to only open documents from trusted sources and to use different passwords on different websites.”
Check Point also urged users not to enable macros in unsolicited email attachments.